× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 89ea1a037e5854d4044086621196b3c3de8a08359a15213f29d71995fc97c0bd
File name: Travel Order Confirmation - 0300202959.doc
Detection ratio: 39 / 54
Analysis date: 2016-02-08 03:04:05 UTC ( 1 year, 4 months ago )
Antivirus Result Update
Ad-Aware W97M.Downloader.RJ 20160208
AegisLab Troj.Downloader.MSWord.Agent.km!c 20160207
AhnLab-V3 DOC/Downloader 20160207
ALYac W97M.Downloader.RJ 20160208
Antiy-AVL Trojan/MSOffice.gen 20160208
Arcabit HEUR.VBA.Trojan.d 20160208
Avast VBA:Downloader-ABM [Trj] 20160208
AVG W97M/Downloader.W 20160207
BitDefender W97M.Downloader.RJ 20160208
CAT-QuickHeal W97M.Dropper.GA 20160206
Comodo UnclassifiedMalware 20160207
Cyren W97M/Downloader.CJ 20160208
DrWeb W97M.DownLoader.371 20160208
Emsisoft Trojan-Downloader.VBA.Agent (A) 20160208
ESET-NOD32 VBA/TrojanDownloader.Agent.RV 20160207
F-Prot W97M/Downloader.CJ 20160129
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160208
Fortinet WM/Agent!tr 20160208
GData W97M.Downloader.RJ 20160208
Ikarus Trojan-Downloader.VBA.Agent 20160208
K7AntiVirus Trojan ( 0001140e1 ) 20160207
K7GW Trojan ( 0001140e1 ) 20160208
Kaspersky Trojan-Downloader.MSWord.Agent.km 20160208
McAfee W97M/Downloader.aha 20160208
McAfee-GW-Edition W97M/Downloader.aha 20160208
Microsoft TrojanDownloader:O97M/Donoff 20160207
eScan W97M.Downloader.RJ 20160208
NANO-Antivirus Trojan.Script.Agent.dsdlpq 20160208
nProtect W97M.Downloader.RJ 20160205
Panda W97M/Downloader 20160207
Qihoo-360 heur.macro.download.va 20160208
Sophos Troj/DocDl-OK 20160208
Symantec W97M.Downloader 20160207
Tencent Word.Trojan-downloader.Agent.Lkne 20160208
TrendMicro W2KM_DLOADR.XTTR 20160208
TrendMicro-HouseCall W2KM_DLOADR.XTTR 20160208
VBA32 Trojan-Downloader.MSWord.Agent 20160204
VIPRE Lookslike.Macro.Downloader.c (v) 20160208
ViRobot W97M.S.Downloader.72704.D[h] 20160207
Yandex 20160206
Alibaba 20160204
Baidu-International 20160207
Bkav 20160204
ByteHero 20160208
ClamAV 20160206
CMC 20160205
Jiangmin 20160208
Malwarebytes 20160207
Rising 20160207
SUPERAntiSpyware 20160207
TheHacker 20160206
TotalDefense 20160208
Zillya 20160206
Zoner 20160207
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-05-21 07:45:00
template
Normal.dot
author
1
page_count
1
last_saved
2015-05-21 07:45:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
24768
type_literal
stream
size
113
name
\x01CompObj
sid
31
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
6367
name
1Table
sid
1
type_literal
stream
size
648
name
Macros/PROJECT
sid
30
type_literal
stream
size
134
name
Macros/PROJECTwm
sid
29
type_literal
stream
size
2252
type
macro
name
Macros/VBA/M11
sid
10
type_literal
stream
size
3718
type
macro
name
Macros/VBA/M3
sid
19
type_literal
stream
size
5249
type
macro
name
Macros/VBA/Module1
sid
13
type_literal
stream
size
8803
type
macro
name
Macros/VBA/Module2
sid
16
type_literal
stream
size
3396
type
macro
name
Macros/VBA/Module3
sid
22
type_literal
stream
size
2000
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
5446
name
Macros/VBA/_VBA_PROJECT
sid
25
type_literal
stream
size
3527
name
Macros/VBA/__SRP_0
sid
27
type_literal
stream
size
340
name
Macros/VBA/__SRP_1
sid
28
type_literal
stream
size
384
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
149
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
252
name
Macros/VBA/__SRP_4
sid
11
type_literal
stream
size
113
name
Macros/VBA/__SRP_5
sid
12
type_literal
stream
size
1334
name
Macros/VBA/__SRP_6
sid
14
type_literal
stream
size
259
name
Macros/VBA/__SRP_7
sid
15
type_literal
stream
size
2664
name
Macros/VBA/__SRP_8
sid
17
type_literal
stream
size
190
name
Macros/VBA/__SRP_9
sid
18
type_literal
stream
size
714
name
Macros/VBA/__SRP_a
sid
20
type_literal
stream
size
142
name
Macros/VBA/__SRP_b
sid
21
type_literal
stream
size
574
name
Macros/VBA/__SRP_c
sid
23
type_literal
stream
size
144
name
Macros/VBA/__SRP_d
sid
24
type_literal
stream
size
930
name
Macros/VBA/dir
sid
26
type_literal
stream
size
4151
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 93 bytes
[+] M11.bas Macros/VBA/M11 415 bytes
[+] Module1.bas Macros/VBA/Module1 1036 bytes
create-ole obfuscated open-file
[+] Module2.bas Macros/VBA/Module2 3207 bytes
create-file obfuscated open-file write-file
[+] M3.bas Macros/VBA/M3 893 bytes
[+] Module3.bas Macros/VBA/Module3 826 bytes
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:05:21 06:45:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:05:21 06:45:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 a176dbfbd0541553446eec7954d11e5e
SHA1 beebd68fe9a10e8bc0ba9d1ca131589596723560
SHA256 89ea1a037e5854d4044086621196b3c3de8a08359a15213f29d71995fc97c0bd
ssdeep
768:G2K1cDlyQDyVl02gZz0amjp0EBQ5VsxVFx3:G2LD2l02A0aqp0BCz

File size 71.0 KB ( 72704 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 20 06:45:00 2015, Last Saved Time/Date: Wed May 20 06:45:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc create-file macros attachment write-file create-ole

VirusTotal metadata
First submission 2015-05-21 07:47:17 UTC ( 2 years, 1 month ago )
Last submission 2015-06-03 11:03:49 UTC ( 2 years ago )
File names ecbeda32bce53a33ae71b9ba6c1d7012
Travel Order Confirmation - 0300202959.doc-
2e8046ebe9a0f77fb0a4524a5274cbcc
4b26de6b63e4232a5904c9a8d516d2a1
48e0c36290f899da77c017577a7c6234
5f2fc08476f4bedb6b05ee79eb83ffa7
260515113536569.DOC
phis.doc
7b9272291ec92e33b869da60e47b5f54
865a6f09fef1a3d63dabe59d79154d59
000001.DOC
Travel Order Confirmation - 0300202959.doc
2c2dfa03b580e83404c247cd8c60bfcf
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!