× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 9594c4a60d67b58d48f8d235c5a03a26e2435a791cfdb89f6892fcb81954b435
File name: SageInvoice.doc
Detection ratio: 4 / 57
Analysis date: 2017-07-14 13:24:07 UTC ( 1 year, 9 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.e 20170714
Ikarus Win32.SuspectCrc 20170714
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170714
Tencent Macro.Trojan.Dropperx.Auto 20170714
Ad-Aware 20170714
AegisLab 20170714
AhnLab-V3 20170714
Alibaba 20170714
ALYac 20170714
Antiy-AVL 20170714
Avast 20170714
AVG 20170714
Avira (no cloud) 20170714
AVware 20170714
Baidu 20170714
BitDefender 20170714
Bkav 20170714
CAT-QuickHeal 20170714
ClamAV 20170714
CMC 20170714
Comodo 20170714
CrowdStrike Falcon (ML) 20170710
Cylance 20170714
Cyren 20170714
DrWeb 20170714
Emsisoft 20170714
Endgame 20170713
ESET-NOD32 20170714
F-Prot 20170714
F-Secure 20170714
Fortinet 20170629
GData 20170714
Sophos ML 20170607
Jiangmin 20170714
K7AntiVirus 20170714
K7GW 20170714
Kaspersky 20170714
Kingsoft 20170714
Malwarebytes 20170714
MAX 20170714
McAfee 20170714
McAfee-GW-Edition 20170714
Microsoft 20170714
eScan 20170714
nProtect 20170714
Palo Alto Networks (Known Signatures) 20170714
Panda 20170714
Qihoo-360 20170714
Rising 20170714
SentinelOne (Static ML) 20170516
Sophos AV 20170714
SUPERAntiSpyware 20170714
Symantec 20170714
Symantec Mobile Insight 20170713
TheHacker 20170712
TrendMicro 20170714
TrendMicro-HouseCall 20170714
Trustlook 20170714
VBA32 20170714
VIPRE 20170714
ViRobot 20170714
Webroot 20170714
WhiteArmor 20170713
Yandex 20170713
Zillya 20170713
ZoneAlarm by Check Point 20170714
Zoner 20170714
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
user
creation_datetime
2017-07-14 11:49:00
revision_number
3
author
Admin
page_count
1
last_saved
2017-07-14 11:50:00
edit_time
120
word_count
25
template
Normal
application_name
Microsoft Office Word
character_count
148
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
172
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
13248
type_literal
stream
sid
20
name
\x01CompObj
size
121
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
7481
type_literal
stream
sid
1
name
Data
size
59540
type_literal
stream
sid
16
name
Macros/F1/\x01CompObj
size
97
type_literal
stream
sid
17
name
Macros/F1/\x03VBFrame
size
281
type_literal
stream
sid
14
name
Macros/F1/f
size
666
type_literal
stream
sid
15
name
Macros/F1/o
size
224
type_literal
stream
sid
19
name
Macros/PROJECT
size
604
type_literal
stream
sid
18
name
Macros/PROJECTwm
size
74
type_literal
stream
sid
10
type
macro
name
Macros/VBA/F1
size
1464
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module1
size
3815
type_literal
stream
sid
8
type
macro
name
Macros/VBA/ThisDocument
size
1117
type_literal
stream
sid
11
name
Macros/VBA/_VBA_PROJECT
size
3524
type_literal
stream
sid
12
name
Macros/VBA/dir
size
834
type_literal
stream
sid
3
name
WordDocument
size
4142
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 32 bytes
[+] Module1.bas Macros/VBA/Module1 989 bytes
obfuscated run-file
[+] F1.frm Macros/VBA/F1 88 bytes
ExifTool file metadata
SharedDoc
No

Author
Admin

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
user

HeadingPairs
Title, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
172

CreateDate
2017:07:14 10:49:00

Word97
No

LanguageCode
English (US)

CompObjUserType
Microsoft Office Word 97-2003 Document

ModifyDate
2017:07:14 10:50:00

Characters
148

CodePage
Windows Cyrillic

RevisionNumber
3

MIMEType
application/msword

Words
25

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
2.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

DocFlags
Has picture, 1Table, ExtChar

Compressed bundles
File identification
MD5 8c74445db4fe314b8f2165b83c754c92
SHA1 8bbd23ef230994ed843abf538393a488f126d0e9
SHA256 9594c4a60d67b58d48f8d235c5a03a26e2435a791cfdb89f6892fcb81954b435
ssdeep
1536:B7r5IloZjsWgFD/SuuiXF1OR4FbVVxNMPYzL/E6yFR:lr5IGmVFD/SSXDOR4FbV7NKfz

File size 97.0 KB ( 99328 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Admin, Template: Normal, Last Saved By: user, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Jul 13 10:49:00 2017, Last Saved Time/Date: Thu Jul 13 10:50:00 2017, Number of Pages: 1, Number of Words: 25, Number of Characters: 148, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated macros run-file doc

VirusTotal metadata
First submission 2017-07-14 11:31:19 UTC ( 1 year, 9 months ago )
Last submission 2018-05-04 20:30:11 UTC ( 11 months, 2 weeks ago )
File names 8bbd23ef230994ed843abf538393a488f126d0e9
SageInvoice.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!