× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a545abc1866b06d5dff47bd40637c08f2aa20acdcb9a068a409eac1bd22cb649
File name: 423240733ef89781fa8cb50ced9d30fe_DOC95018457029580.rtf
Detection ratio: 38 / 56
Analysis date: 2017-03-30 04:54:38 UTC ( 10 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware W97M.Downloader.BIU 20170330
AegisLab W2Km.Dridex.Gen!c 20170330
AhnLab-V3 W97M/Downloader 20170329
ALYac W97M.Downloader.BIU 20170330
Antiy-AVL Trojan[Downloader]/VBS.Agent.bkz 20170330
Arcabit HEUR.VBA.Trojan.d 20170330
Avast VBA:Downloader-BIQ [Trj] 20170330
AVG Downloader.Generic_c.ALIX 20170330
Avira (no cloud) W2000M/Agent.88310 20170330
AVware LooksLike.Macro.Malware.b (v) 20170330
Baidu VBS.Trojan-Downloader.Small.ce 20170330
BitDefender W97M.Downloader.BIU 20170330
CAT-QuickHeal W97M.Downloader.BR 20170329
ClamAV Doc.Dropper.Agent-1406651 20170330
Cyren W97M/Donoff 20170330
DrWeb W97M.DownLoader.979 20170330
Emsisoft W97M.Downloader.BIU (B) 20170330
ESET-NOD32 VBS/TrojanDownloader.Small.NEN 20170330
F-Prot New or modified W97M/Donoff 20170330
F-Secure Trojan-Downloader:W97M/Dridex.R 20170330
Fortinet WM/Agent!tr 20170330
GData W97M.Downloader.BIU 20170330
Ikarus Trojan-Downloader.VBA.Agent 20170329
Kaspersky Trojan-Downloader.VBS.Agent.bkz 20170330
McAfee W97M/Downloader!423240733EF8 20170330
McAfee-GW-Edition W97M/Downloader!423240733EF8 20170330
Microsoft Trojan:O97M/Macrobe.D 20170330
eScan W97M.Downloader.BIU 20170330
NANO-Antivirus Trojan.Script.Donoff.eclpvy 20170330
Panda O97M/Downloader 20170329
Qihoo-360 virus.office.obfuscated.1 20170330
Rising Downloader.Adnel!8.381 (topis) 20170330
Sophos AV Troj/DocDl-CEL 20170330
Symantec W97M.Downloader 20170329
Tencent Macro.Trojan.Dropper.Auto 20170330
TrendMicro-HouseCall W2KM_DRIDEX.YYSTU 20170330
VIPRE LooksLike.Macro.Malware.b (v) 20170330
ZoneAlarm by Check Point HEUR:Trojan-Downloader.Script.Generic 20170330
Alibaba 20170330
Bkav 20170329
CMC 20170330
Comodo 20170330
CrowdStrike Falcon (ML) 20170130
Endgame 20170329
Sophos ML 20170203
Jiangmin 20170330
K7AntiVirus 20170329
K7GW 20170330
Kingsoft 20170330
Malwarebytes 20170330
nProtect 20170330
Palo Alto Networks (Known Signatures) 20170330
SentinelOne (Static ML) 20170315
SUPERAntiSpyware 20170330
Symantec Mobile Insight 20170329
TheHacker 20170330
TotalDefense 20170330
TrendMicro 20170330
Trustlook 20170330
VBA32 20170329
ViRobot 20170330
Webroot 20170330
WhiteArmor 20170327
Yandex 20170327
Zillya 20170329
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
creation_datetime
2016-04-12 18:00:00
template
Normal.dot
page_count
1
last_saved
2016-04-12 20:18:00
edit_time
5460
word_count
3
revision_number
98
application_name
Microsoft Office Word
character_count
22
code_page
Cyrillic
Document summary
line_count
1
characters_with_spaces
24
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7424
type_literal
stream
size
113
name
\x01CompObj
sid
20
type_literal
stream
size
276
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
380
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4096
name
1Table
sid
1
type_literal
stream
size
596
name
Macros/PROJECT
sid
19
type_literal
stream
size
113
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
8744
type
macro
name
Macros/VBA/Module1
sid
10
type_literal
stream
size
1154
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
6343
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
1190
type
macro (only attributes)
name
Macros/VBA/bvcsdwrwer
sid
8
type_literal
stream
size
904
name
Macros/VBA/dir
sid
12
type_literal
stream
size
13601
type
macro
name
Macros/VBA/ttes
sid
9
type_literal
stream
size
97
name
Macros/bvcsdwrwer/\x01CompObj
sid
16
type_literal
stream
size
292
name
Macros/bvcsdwrwer/\x03VBFrame
sid
17
type_literal
stream
size
219
name
Macros/bvcsdwrwer/f
sid
14
type_literal
stream
size
1660
name
Macros/bvcsdwrwer/o
sid
15
type_literal
stream
size
4146
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 173 bytes
[+] ttes.bas Macros/VBA/ttes 6265 bytes
create-ole environ obfuscated open-file
[+] Module1.bas Macros/VBA/Module1 3832 bytes
create-ole write-file
ExifTool file metadata
SharedDoc
No

HyperlinksChanged
No

LinksUpToDate
No

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
24

CreateDate
2016:04:12 17:00:00

Security
None

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:04:12 19:18:00

Characters
22

Pages
1

RevisionNumber
98

MIMEType
application/msword

Words
3

FileType
DOC

Lines
1

AppVersion
11.9999

CodePage
Windows Cyrillic

Software
Microsoft Office Word

TotalEditTime
1.5 hours

ScaleCrop
No

CompObjUserTypeLen
31

Warning
Truncated property data

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 423240733ef89781fa8cb50ced9d30fe
SHA1 eabecd4643f0cdc7177f04c034cc77485935cfb0
SHA256 a545abc1866b06d5dff47bd40637c08f2aa20acdcb9a068a409eac1bd22cb649
ssdeep
768:cXeDmVFJ8lj4AhpwMrQgXKUceUbKGHKcFuS8M6pQc:mom58iMroUdUbzF4M6F

File size 57.0 KB ( 58368 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal.dot, Revision Number: 98, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:31:00, Create Time/Date: Mon Apr 11 17:00:00 2016, Last Saved Time/Date: Mon Apr 11 19:18:00 2016, Number of Pages: 1, Number of Words: 3, Number of Characters: 22, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc macros environ write-file create-ole

VirusTotal metadata
First submission 2016-04-13 17:44:44 UTC ( 1 year, 10 months ago )
Last submission 2016-09-12 19:52:01 UTC ( 1 year, 5 months ago )
File names b469cd8a0c42bfe5e08f76234610a1b1
423240733ef89781fa8cb50ced9d30fe.rtf
4d1c250e28de91101e89d425226082b0
1093566eed773adb5e521cb5557d1e34
2829158b4b8c4c9a3fb451f290f4cb5499b3e2c5
DOC200032945106906085404.rtf
bc879e4908aace8bf9abc279a09a5ae3
DOC8900923940281899.rtf
DOC4697427347358257.rtf
423240733ef89781fa8cb50ced9d30fe_DOC95018457029580.rtf
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!