× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a6e1043afe619b02cf4fb43c460bf1827010d03a2010571d1e4b2f5ee66a6825
File name: 1913.doc
Detection ratio: 3 / 57
Analysis date: 2015-06-09 11:02:46 UTC ( 3 years, 11 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan 20150609
AVware Lookslike.Macro.Downloader.c (v) 20150609
VIPRE Lookslike.Macro.Downloader.c (v) 20150609
Ad-Aware 20150609
AegisLab 20150609
Yandex 20150608
AhnLab-V3 20150608
Alibaba 20150609
ALYac 20150609
Antiy-AVL 20150609
Avast 20150609
AVG 20150609
Avira (no cloud) 20150609
Baidu-International 20150609
BitDefender 20150609
Bkav 20150609
ByteHero 20150609
CAT-QuickHeal 20150609
ClamAV 20150609
CMC 20150604
Comodo 20150609
Cyren 20150609
DrWeb 20150609
Emsisoft 20150609
ESET-NOD32 20150609
F-Prot 20150609
F-Secure 20150609
Fortinet 20150609
GData 20150609
Ikarus 20150609
Jiangmin 20150608
K7AntiVirus 20150609
K7GW 20150609
Kaspersky 20150609
Kingsoft 20150609
Malwarebytes 20150609
McAfee 20150609
McAfee-GW-Edition 20150609
Microsoft 20150609
eScan 20150609
NANO-Antivirus 20150609
nProtect 20150609
Panda 20150608
Qihoo-360 20150609
Rising 20150609
Sophos AV 20150609
SUPERAntiSpyware 20150609
Symantec 20150609
Tencent 20150609
TheHacker 20150607
TotalDefense 20150609
TrendMicro 20150609
TrendMicro-HouseCall 20150609
VBA32 20150608
ViRobot 20150609
Zillya 20150609
Zoner 20150608
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
May execute code from Dynamically Linked Libraries.
May try to interact with other applications, for example, by sending key strokes.
Seems to contain deobfuscation code.
Seems to contain code to deceive researchers and automatic analysis systems.
Summary
last_author
1
creation_datetime
2015-06-09 08:32:00
revision_number
2
author
1
page_count
1
last_saved
2015-06-09 08:32:00
edit_time
120
template
Normal
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
726502
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
4032
type_literal
stream
sid
18
name
\x01CompObj
size
113
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
5298
type_literal
stream
sid
17
name
Macros/PROJECT
size
554
type_literal
stream
sid
16
name
Macros/PROJECTwm
size
137
type_literal
stream
sid
8
type
macro
name
Macros/VBA/Module1
size
17904
type_literal
stream
sid
10
type
macro
name
Macros/VBA/Module3
size
15229
type_literal
stream
sid
11
type
macro
name
Macros/VBA/Module4
size
7787
type_literal
stream
sid
9
name
Macros/VBA/Module5
size
27679
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
2076
type_literal
stream
sid
12
name
Macros/VBA/_VBA_PROJECT
size
9953
type_literal
stream
sid
14
name
Macros/VBA/__SRP_0
size
10800
type_literal
stream
sid
15
name
Macros/VBA/__SRP_1
size
343
type_literal
stream
sid
13
name
Macros/VBA/dir
size
638
type_literal
stream
sid
2
name
WordDocument
size
4142
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 101 bytes
[+] Module1.bas Macros/VBA/Module1 7185 bytes
exe-pattern enum-windows environ obfuscated run-file send-keys
[+] Module5.bas Macros/VBA/Module5 11222 bytes
anti-analysis create-file create-ole obfuscated open-file write-file
[+] Module3.bas Macros/VBA/Module3 5658 bytes
obfuscated
[+] Module4.bas Macros/VBA/Module4 2703 bytes
obfuscated open-file run-dll
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

System
Windows

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Identification
Word 8.0

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:06:09 06:32:00

Word97
No

LanguageCode
Russian

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:06:09 06:32:00

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
2 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

LastPrinted
0000:00:00 00:00:00

DocFlags
1Table, ExtChar

Compressed bundles
File identification
MD5 2e5c33d8fdf22053cb3f49b200b35dc8
SHA1 49e5880a38fd0d7e136c0e44e501301d93401879
SHA256 a6e1043afe619b02cf4fb43c460bf1827010d03a2010571d1e4b2f5ee66a6825
ssdeep
3072:HiStLm7t/peKTr0GOyA8m9J2TWGpubmhewqqMtNhi5H3FYnoOqr:Sr0GOyA8evmhpqqd1YnoO

File size 115.5 KB ( 118272 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Mon Jun 08 07:32:00 2015, Last Saved Time/Date: Mon Jun 08 07:32:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (33.3%)
Microsoft PowerPoint document (32.8%)
Microsoft Excel sheet (alternate) (25.5%)
Generic OLE2 / Multistream Compound File (8.3%)
Tags
obfuscated run-file enum-windows exe-pattern doc create-file open-file macros run-dll environ attachment send-keys write-file anti-analysis create-ole

VirusTotal metadata
First submission 2015-06-09 07:23:50 UTC ( 3 years, 11 months ago )
Last submission 2018-05-11 23:56:23 UTC ( 1 year ago )
File names f6c262a89b3f6756a0dd2b074142598c
virus OR_12_276_500315_0000118762.doc
myvtfile.exe
bf1fdfb89be4b843f3a9c5136e0f7212
PB_47A0UQ8Y4.DOC
1913_doc
c25dd0ff2ac33b352f413477af55147e
3267298 2015061035.doc
1913.doc
4b37a0c51453093043ca8e834126a036
865c73ed2abdc46afcadbbc3f02cfd9e
3267298_2015061035.doc
118272-2e5c33d8fdf22053cb3f49b200b35dc8.doc
9e4a38d2d162d18c312df6495b37d5b6
18079e559631225a5d86ead00261516f
971a455cdb2bdd3c214b3079ea3811e4
c32876e35a8957197c8f6e1ccb56f00e
cdbb5f6571078b504f6a424dcab17c3a
OR_12_276_500315_0000118762.doc
1913.doc
5080ea9bf4092d1ba8b238c920524e7b
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!