× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a8bfefc9496bc1878947f85d9564b9fc84b56a6dd2e90c7ca58759a6f8625a54
File name: 9210-07.doc
Detection ratio: 1 / 54
Analysis date: 2016-01-27 14:04:47 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20160127
Ad-Aware 20160127
AegisLab 20160127
Yandex 20160126
AhnLab-V3 20160127
Alibaba 20160127
ALYac 20160127
Antiy-AVL 20160127
Avast 20160127
AVG 20160127
Avira (no cloud) 20160127
Baidu-International 20160127
BitDefender 20160127
Bkav 20160127
ByteHero 20160127
CAT-QuickHeal 20160127
ClamAV 20160127
CMC 20160111
Comodo 20160127
Cyren 20160127
DrWeb 20160127
Emsisoft 20160127
ESET-NOD32 20160127
F-Prot 20160127
F-Secure 20160127
Fortinet 20160127
GData 20160127
Ikarus 20160127
Jiangmin 20160127
K7AntiVirus 20160127
K7GW 20160127
Kaspersky 20160127
Malwarebytes 20160127
McAfee 20160127
McAfee-GW-Edition 20160127
Microsoft 20160127
eScan 20160127
NANO-Antivirus 20160127
nProtect 20160127
Panda 20160126
Qihoo-360 20160127
Rising 20160127
Sophos AV 20160127
SUPERAntiSpyware 20160127
Symantec 20160126
Tencent 20160127
TheHacker 20160124
TrendMicro 20160127
TrendMicro-HouseCall 20160127
VBA32 20160127
VIPRE 20160127
ViRobot 20160127
Zillya 20160127
Zoner 20160127
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
User
creation_datetime
2016-01-27 09:52:00
template
Normal.dot
author
Administrator
page_count
1
last_saved
2016-01-27 13:20:00
edit_time
120
word_count
79
revision_number
6
application_name
Microsoft Office Word
character_count
455
code_page
Cyrillic
Document summary
byte_count
48640
company
characters_with_spaces
533
line_count
3
version
726502
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
10240
type_literal
stream
size
113
name
\x01CompObj
sid
20
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4294
name
1Table
sid
1
type_literal
stream
size
547
name
Macros/PROJECT
sid
19
type_literal
stream
size
95
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
3888
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
4800
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
4910
type
macro
name
Macros/VBA/bedpost
sid
8
type_literal
stream
size
894
name
Macros/VBA/dir
sid
12
type_literal
stream
size
1155
type
macro (only attributes)
name
Macros/VBA/dram
sid
10
type_literal
stream
size
2618
type
macro
name
Macros/VBA/lees
sid
9
type_literal
stream
size
97
name
Macros/dram/\x01CompObj
sid
16
type_literal
stream
size
291
name
Macros/dram/\x03VBFrame
sid
17
type_literal
stream
size
131
name
Macros/dram/f
sid
14
type_literal
stream
size
96
name
Macros/dram/o
sid
15
type_literal
stream
size
6190
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 1281 bytes
exe-pattern create-ole obfuscated run-file
[+] bedpost.bas Macros/VBA/bedpost 2040 bytes
create-ole obfuscated open-file
[+] lees.bas Macros/VBA/lees 941 bytes
ExifTool file metadata
SharedDoc
No

Author
Administrator

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
User

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
533

CreateDate
2016:01:27 08:52:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:27 12:20:00

HyperlinksChanged
No

Characters
455

ScaleCrop
No

RevisionNumber
6

MIMEType
application/msword

Words
79

Bytes
48640

FileType
DOC

Lines
3

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
2.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 7d1ff6c86fdddd20af6f69684c3d5485
SHA1 25c5ec999c1c1c3ee751ed8c9dc53bc5d443f7fb
SHA256 a8bfefc9496bc1878947f85d9564b9fc84b56a6dd2e90c7ca58759a6f8625a54
ssdeep
384:wwL/SLD6bVMHHHw5dMDdueD6cOJguOAR0hB7yOcSQPtBwlwAFUZ0jD6vdygtQ:Q65BMDLD69J1OJLJqwtFARg

File size 44.0 KB ( 45056 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Administrator, Template: Normal.dot, Last Saved By: User, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Tue Jan 26 08:52:00 2016, Last Saved Time/Date: Tue Jan 26 12:20:00 2016, Number of Pages: 1, Number of Words: 79, Number of Characters: 455, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated run-file exe-pattern doc open-file macros attachment create-ole

VirusTotal metadata
First submission 2016-01-27 13:28:35 UTC ( 1 year, 10 months ago )
Last submission 2016-08-08 04:26:48 UTC ( 1 year, 3 months ago )
File names 9210.doc
818c955fd8f74c849cf95d9137b07ec1
60a4c16cc9a76054e0bd4b78b578500d
9210.doc
virus suspect.doc
c56052ca43b8cb1712f72089a1e2bd29
9210-02.doc
414a396b872e5fb26a40da5a8b745784
phpXmtteg
be5254205c69d0fc588d806956066428
eeb866ce71ebc3c17dd81e176d5aac8f
9210-07.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!