× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a2a8f44677dd70276e22d0a264cf3c1b165cfe3c403494079ce06d67613b5f15
File name: 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc
Detection ratio: 7 / 55
Analysis date: 2015-07-22 12:14:46 UTC ( 3 years, 10 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan 20150722
Avast VBA:Downloader-HN [Trj] 20150722
AVware LooksLike.Macro.Malware.gen!d1 (v) 20150722
F-Secure Trojan:W97M/MaliciousMacro.GEN 20150722
Fortinet WM/Agent!tr 20150722
Qihoo-360 Trojan.Generic 20150722
VIPRE LooksLike.Macro.Malware.gen!d1 (v) 20150722
Ad-Aware 20150722
AegisLab 20150722
Yandex 20150721
AhnLab-V3 20150722
Alibaba 20150722
ALYac 20150722
Antiy-AVL 20150722
AVG 20150721
Avira (no cloud) 20150722
Baidu-International 20150722
BitDefender 20150722
Bkav 20150721
ByteHero 20150722
CAT-QuickHeal 20150722
ClamAV 20150721
Comodo 20150722
Cyren 20150722
DrWeb 20150722
Emsisoft 20150722
ESET-NOD32 20150722
F-Prot 20150722
GData 20150722
Ikarus 20150722
Jiangmin 20150720
K7AntiVirus 20150722
K7GW 20150722
Kaspersky 20150722
Kingsoft 20150722
Malwarebytes 20150722
McAfee 20150722
McAfee-GW-Edition 20150722
Microsoft 20150722
eScan 20150722
NANO-Antivirus 20150722
nProtect 20150722
Panda 20150722
Rising 20150722
Sophos AV 20150722
SUPERAntiSpyware 20150722
Symantec 20150722
Tencent 20150722
TheHacker 20150721
TrendMicro 20150722
TrendMicro-HouseCall 20150722
VBA32 20150722
ViRobot 20150722
Zillya 20150722
Zoner 20150722
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May read system environment variables.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Windows User
creation_datetime
2015-07-22 13:33:00
revision_number
96
author
MMM
page_count
2
last_saved
2015-07-22 12:20:00
edit_time
3120
word_count
547
template
Normal.dotm
application_name
Microsoft Office Word
character_count
3120
code_page
Latin I
Document summary
line_count
26
characters_with_spaces
3660
version
983040
paragraph_count
7
code_page
-535
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
5184
type_literal
stream
sid
16
name
\x01CompObj
size
114
type_literal
stream
sid
5
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
4
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
2
name
1Table
size
9973
type_literal
stream
sid
1
name
Data
size
16886
type_literal
stream
sid
14
name
Macros/PROJECT
size
579
type_literal
stream
sid
15
name
Macros/PROJECTwm
size
113
type_literal
stream
sid
9
type
macro
name
Macros/VBA/Module1
size
974
type_literal
stream
sid
10
type
macro
name
Macros/VBA/Module2
size
2611
type_literal
stream
sid
11
type
macro
name
Macros/VBA/Module3
size
4360
type_literal
stream
sid
12
type
macro
name
Macros/VBA/ThisDocument
size
16586
type_literal
stream
sid
13
name
Macros/VBA/_VBA_PROJECT
size
5359
type_literal
stream
sid
8
name
Macros/VBA/dir
size
609
type_literal
stream
sid
3
name
WordDocument
size
9262
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 7744 bytes
exe-pattern auto-open create-ole obfuscated open-file write-file
[+] Module1.bas Macros/VBA/Module1 88 bytes
[+] Module2.bas Macros/VBA/Module2 910 bytes
create-ole environ obfuscated open-file
[+] Module3.bas Macros/VBA/Module3 2256 bytes
obfuscated run-file
ExifTool file metadata
SharedDoc
No

Author
MMM

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
Windows User

HeadingPairs
Title, 1, , 1

Template
Normal.dotm

CharCountWithSpaces
3660

CreateDate
2015:07:22 12:33:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2015:07:22 11:20:00

TitleOfParts
,

CodePage
Unicode (UTF-8)

Characters
3120

ScaleCrop
No

RevisionNumber
96

MIMEType
application/msword

Words
547

FileType
DOC

Lines
26

AppVersion
15.0

Security
None

Software
Microsoft Office Word

TotalEditTime
52.0 minutes

Pages
2

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
7

Compressed bundles
File identification
MD5 1fdb0af80d01739410a3eef67c4144ff
SHA1 481978eecb1ae94824156710bf96fc30bbfdbd37
SHA256 a2a8f44677dd70276e22d0a264cf3c1b165cfe3c403494079ce06d67613b5f15
ssdeep
768:qE8JHBxAs5vpKOtxJwJWjCKY6MiWY1/qP/JOgA0+xk0bl6wafgn8w/Ss:vQ1vhhMbRFiWYVqnA1k0bsfML

File size 80.5 KB ( 82432 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: MMM, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 96, Name of Creating Application: Microsoft Office Word, Total Editing Time: 52:00, Create Time/Date: Tue Jul 21 12:33:00 2015, Last Saved Time/Date: Tue Jul 21 11:20:00 2015, Number of Pages: 2, Number of Words: 547, Number of Characters: 3120, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file auto-open exe-pattern doc run-file macros environ attachment via-tor write-file create-ole

VirusTotal metadata
First submission 2015-07-22 11:28:36 UTC ( 3 years, 10 months ago )
Last submission 2018-06-22 14:39:17 UTC ( 11 months ago )
File names 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc
385b877b11911bd34267d41b2f190b35
2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS_20150722043450_250634.doc
9YFL.xlt
0ee04e83bc5c1879f4e83cd9ceb5b3f9
VirusShare_1fdb0af80d01739410a3eef67c4144ff
2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.do_
237a5b8cb900b5eee75cfa8a09492bee
1fdb0af80d01739410a3eef67c4144ff_dnr.doc
2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc
cc5e3c041b638ed82f7dd3eee50ca475
c56bd7b0715bbd90682d64b8cf869f85
2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc
axrY.scr
2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc_000160914_.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!