× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 8e2d48a763b0fdfa61a2af12b69a6babe859c4c6347211c6e43f52b5236a914e
File name: malware.doc
Detection ratio: 5 / 55
Analysis date: 2015-11-23 13:11:54 UTC ( 3 years, 5 months ago ) View latest
Antivirus Result Update
Arcabit HEUR(high).VBA.Trojan 20151123
AVware LooksLike.Macro.Malware.gen!d1 (v) 20151123
ESET-NOD32 VBA/TrojanDownloader.Agent.AJQ 20151123
Sophos AV Troj/DocDl-ACU 20151123
VIPRE LooksLike.Macro.Malware.gen!d1 (v) 20151123
Ad-Aware 20151123
AegisLab 20151123
Yandex 20151122
AhnLab-V3 20151122
Alibaba 20151123
ALYac 20151123
Antiy-AVL 20151123
Avast 20151123
AVG 20151123
Avira (no cloud) 20151123
Baidu-International 20151123
BitDefender 20151123
Bkav 20151123
ByteHero 20151123
CAT-QuickHeal 20151123
ClamAV 20151123
CMC 20151118
Comodo 20151123
Cyren 20151123
DrWeb 20151123
Emsisoft 20151123
F-Prot 20151123
F-Secure 20151123
Fortinet 20151123
GData 20151123
Ikarus 20151123
Jiangmin 20151122
K7AntiVirus 20151123
K7GW 20151123
Kaspersky 20151123
Malwarebytes 20151123
McAfee 20151123
McAfee-GW-Edition 20151123
Microsoft 20151123
eScan 20151123
NANO-Antivirus 20151123
nProtect 20151120
Panda 20151122
Qihoo-360 20151123
Rising 20151122
SUPERAntiSpyware 20151123
Symantec 20151122
Tencent 20151123
TheHacker 20151121
TrendMicro 20151123
TrendMicro-HouseCall 20151123
VBA32 20151120
ViRobot 20151123
Zillya 20151123
Zoner 20151123
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Seems to contain code to deceive researchers and automatic analysis systems.
Summary
last_author
1
creation_datetime
2015-11-23 07:58:00
revision_number
2
author
1
page_count
1
last_saved
2015-11-23 07:58:00
edit_time
60
template
Normal
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
company
Home
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3392
type_literal
stream
sid
15
name
\x01CompObj
size
114
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
7544
type_literal
stream
sid
14
name
Macros/PROJECT
size
515
type_literal
stream
sid
13
name
Macros/PROJECTwm
size
113
type_literal
stream
sid
8
type
macro
name
Macros/VBA/Module1
size
16688
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module2
size
14053
type_literal
stream
sid
10
type
macro
name
Macros/VBA/Module3
size
19886
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
1907
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
7727
type_literal
stream
sid
12
name
Macros/VBA/dir
size
617
type_literal
stream
sid
2
name
WordDocument
size
4096
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 132 bytes
[+] Module1.bas Macros/VBA/Module1 7303 bytes
create-ole open-file write-file
[+] Module2.bas Macros/VBA/Module2 6537 bytes
exe-pattern url-pattern create-file obfuscated
[+] Module3.bas Macros/VBA/Module3 10551 bytes
exe-pattern anti-analysis create-ole enum-windows environ obfuscated open-file run-file
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
0

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:11:23 06:58:00

Company
Home

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

CreateDate
2015:11:23 06:58:00

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

FileType
DOC

TotalEditTime
1 minute

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

LastPrinted
0000:00:00 00:00:00

DocFlags
1Table, ExtChar

Compressed bundles
File identification
MD5 5b6c01ea40acfb7dff4337710cf0a56c
SHA1 a1190e76227836ac27e1234ce7611d93dd9cbef9
SHA256 8e2d48a763b0fdfa61a2af12b69a6babe859c4c6347211c6e43f52b5236a914e
ssdeep
1536:Js0WWkyUTtrp25rvU+RdBKRiwxn03V6F:qWkyUTtrp25DBKRiwt0F6

File size 85.0 KB ( 87040 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Nov 22 06:58:00 2015, Last Saved Time/Date: Sun Nov 22 06:58:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file enum-windows exe-pattern url-pattern via-tor create-file run-file macros environ attachment doc write-file anti-analysis create-ole

VirusTotal metadata
First submission 2015-11-23 12:06:24 UTC ( 3 years, 5 months ago )
Last submission 2017-01-10 04:06:25 UTC ( 2 years, 4 months ago )
File names 44f98da69ba15357187748e72d9b71d7
51fbec6f7ec3bae39481f5dee5b08b57
988271023-PRCL-1.doc
988271023-PRCL.doc
malware.doc
cfb4c79586e8511fa54c4d392992744e
4166414.root_1.doc
11-988271023-PRCL.doc
5b6c01ea40acfb7dff4337710cf0a56c.doc
cRpPEP20.doc
20151123213455_988271023-PRCL.doc
0e4bd15e7585b3b0e4f1f9bc9595e0a8
A1190E76227836AC27E1234CE7611D93DD9CBEF9.NQF.bin
2619466817.doc
b9db163aa326a6fb694feb6a96cb5834
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!