× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 862d16e4d3ae8bc6902f8afb5fc434f72017cf4e7c67fdbb8287a99ea65c43d3
File name: Blank 11.doc
Detection ratio: 38 / 55
Analysis date: 2017-02-21 21:51:56 UTC ( 4 months ago )
Antivirus Result Update
Ad-Aware Trojan.Downloader.JRVD 20170221
AegisLab Troj.Downloader.MSWord.Agent.kq!c 20170221
AhnLab-V3 W97M/Downloader 20170221
ALYac Trojan.Downloader.JRVD 20170221
Antiy-AVL Trojan[Downloader]/MSWord.Agent.kq 20170221
Arcabit HEUR.VBA.Trojan.d 20170221
Avast VBA:Downloader-EE [Trj] 20170221
AVG W97M/Downloader 20170221
Avira (no cloud) W97M/Adnel.74240 20170221
AVware LooksLike.Macro.Malware.g (v) 20170221
Baidu VBA.Trojan-Downloader.Agent.ok 20170221
BitDefender Trojan.Downloader.JRVD 20170221
CAT-QuickHeal W97M.Dropper.GE 20170221
Cyren W97M/Donoff 20170221
DrWeb W97M.DownLoader.388 20170221
Emsisoft Trojan.Downloader.JRVD (B) 20170221
ESET-NOD32 VBA/TrojanDownloader.Agent.SI 20170221
F-Prot New or modified W97M/Donoff 20170221
F-Secure Trojan-Downloader:W97M/Dridex.R 20170221
Fortinet WM/Agent.BXQ!tr 20170221
GData Trojan.Downloader.JRVD 20170221
Ikarus Trojan-Downloader.VBA.Agent 20170221
Jiangmin WM/Downloader.Agent.kq 20170221
Kaspersky Trojan-Downloader.MSWord.Agent.kq 20170221
McAfee W97M/Downloader.ahh 20170221
McAfee-GW-Edition W97M/Downloader.ahh 20170221
Microsoft TrojanDownloader:O97M/Adnel 20170221
eScan Trojan.Downloader.JRVD 20170221
NANO-Antivirus Trojan.Script.Agent.dsgamf 20170221
Panda W97M/Downloader 20170221
Qihoo-360 heur.macro.gen.q 20170221
Rising Hack.Exploit.CVE-2012-0158.dj (classic) 20170221
Sophos Troj/DocDl-OT 20170221
Symantec W97M.Downloader 20170221
Tencent Word.Trojan-downloader.Agent.Pciz 20170221
TrendMicro W2KM_DLOADER.FLG 20170221
TrendMicro-HouseCall W2KM_DLOADER.FLG 20170221
VIPRE LooksLike.Macro.Malware.g (v) 20170221
Alibaba 20170221
Bkav 20170221
ClamAV 20170221
CMC 20170221
Comodo 20170221
CrowdStrike Falcon (ML) 20170130
Endgame 20170217
Invincea 20170203
K7AntiVirus 20170221
K7GW 20170221
Kingsoft 20170221
nProtect 20170221
SUPERAntiSpyware 20170221
TheHacker 20170221
TotalDefense 20170221
Trustlook 20170221
VBA32 20170221
ViRobot 20170221
Webroot 20170221
WhiteArmor 20170215
Yandex 20170221
Zillya 20170220
Zoner 20170221
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Alex
creation_datetime
2015-05-26 07:37:00
template
Normal.dotm
author
1
page_count
1
last_saved
2015-05-26 07:37:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
30784
type_literal
stream
size
114
name
\x01CompObj
sid
32
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
11058
name
1Table
sid
1
type_literal
stream
size
763
name
Macros/PROJECT
sid
31
type_literal
stream
size
173
name
Macros/PROJECTwm
sid
30
type_literal
stream
size
4721
type
macro
name
Macros/VBA/M11
sid
10
type_literal
stream
size
678
type
macro (only attributes)
name
Macros/VBA/M2
sid
22
type_literal
stream
size
2317
type
macro
name
Macros/VBA/M3
sid
19
type_literal
stream
size
3573
type
macro
name
Macros/VBA/M3F1
sid
21
type_literal
stream
size
3108
type
macro
name
Macros/VBA/M4F1
sid
23
type_literal
stream
size
2657
type
macro
name
Macros/VBA/Module1
sid
13
type_literal
stream
size
3602
type
macro
name
Macros/VBA/Module2
sid
16
type_literal
stream
size
2267
type
macro
name
Macros/VBA/Module3
sid
20
type_literal
stream
size
2003
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
5846
name
Macros/VBA/_VBA_PROJECT
sid
26
type_literal
stream
size
2727
name
Macros/VBA/__SRP_0
sid
28
type_literal
stream
size
298
name
Macros/VBA/__SRP_1
sid
29
type_literal
stream
size
420
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
149
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
2666
name
Macros/VBA/__SRP_4
sid
17
type_literal
stream
size
105
name
Macros/VBA/__SRP_5
sid
18
type_literal
stream
size
316
name
Macros/VBA/__SRP_6
sid
14
type_literal
stream
size
213
name
Macros/VBA/__SRP_7
sid
15
type_literal
stream
size
292
name
Macros/VBA/__SRP_8
sid
24
type_literal
stream
size
195
name
Macros/VBA/__SRP_9
sid
25
type_literal
stream
size
198
name
Macros/VBA/__SRP_a
sid
11
type_literal
stream
size
158
name
Macros/VBA/__SRP_b
sid
12
type_literal
stream
size
1025
name
Macros/VBA/dir
sid
27
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 90 bytes
[+] M11.bas Macros/VBA/M11 2360 bytes
create-file obfuscated open-file write-file
[+] Module1.bas Macros/VBA/Module1 743 bytes
create-ole
[+] Module2.bas Macros/VBA/Module2 1367 bytes
obfuscated open-file
[+] M3.bas Macros/VBA/M3 893 bytes
[+] Module3.bas Macros/VBA/Module3 824 bytes
[+] M3F1.bas Macros/VBA/M3F1 1449 bytes
[+] M4F1.bas Macros/VBA/M4F1 883 bytes
obfuscated open-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Alex

HeadingPairs
, 1

Template
Normal.dotm

CharCountWithSpaces
0

CreateDate
2015:05:26 06:37:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:05:26 06:37:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 41b95e3e93789ce1e5e133d9a8ef1f49
SHA1 837fc5d6b248f8a4ceef6caf14a99d5114991c6d
SHA256 862d16e4d3ae8bc6902f8afb5fc434f72017cf4e7c67fdbb8287a99ea65c43d3
ssdeep
768:CfJg1PbW/DvgMjzfImtUbKH8wFWkSPRinRgNKHcl:h1KtjjEK/FW55sRgIHK

File size 72.5 KB ( 74240 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dotm, Last Saved By: Alex, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 25 06:37:00 2015, Last Saved Time/Date: Mon May 25 06:37:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file cve-2012-0158 doc create-file macros exploit attachment via-tor write-file create-ole

VirusTotal metadata
First submission 2015-05-26 09:00:09 UTC ( 2 years ago )
Last submission 2017-02-21 21:51:56 UTC ( 4 months ago )
File names 41b95e3e93789ce1e5e133d9a8ef1f49.malware
Invoice INV232654.doc
e195fcfaf13db3c9f8c51532df3fbf7c
36ca9d7e3635953f2811cdfc50e10700
Blank 11.doc
64b3d4c37bad027bbb260ec0213a5d1b
837fc5d6b248f8a4ceef6caf14a99d5114991c6d.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!