× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: aeb8c585e9fcc35d5470bec8284e59a0a0150114c1f60d106a3b2f284ee6c8b4
File name: ReportonTitle7117152.1Final.doc
Detection ratio: 4 / 56
Analysis date: 2015-09-16 13:01:15 UTC ( 1 year, 11 months ago ) View latest
Antivirus Result Update
AVware LooksLike.Macro.Malware.gen!d1 (v) 20150916
McAfee W97M/Bartallex.ak 20150916
McAfee-GW-Edition W97M/Bartallex.ak 20150916
VIPRE LooksLike.Macro.Malware.gen!d1 (v) 20150916
Ad-Aware 20150916
AegisLab 20150916
Yandex 20150915
AhnLab-V3 20150915
Alibaba 20150916
ALYac 20150916
Antiy-AVL 20150916
Arcabit 20150916
Avast 20150916
AVG 20150916
Avira (no cloud) 20150915
Baidu-International 20150916
BitDefender 20150916
Bkav 20150916
ByteHero 20150916
CAT-QuickHeal 20150916
ClamAV 20150916
CMC 20150916
Comodo 20150916
Cyren 20150916
DrWeb 20150916
Emsisoft 20150916
ESET-NOD32 20150916
F-Prot 20150916
F-Secure 20150916
Fortinet 20150916
GData 20150916
Ikarus 20150916
Jiangmin 20150914
K7AntiVirus 20150916
K7GW 20150916
Kaspersky 20150916
Kingsoft 20150916
Malwarebytes 20150916
Microsoft 20150916
eScan 20150916
NANO-Antivirus 20150916
nProtect 20150916
Panda 20150916
Qihoo-360 20150916
Rising 20150913
Sophos AV 20150916
SUPERAntiSpyware 20150916
Symantec 20150915
Tencent 20150916
TheHacker 20150914
TrendMicro 20150916
TrendMicro-HouseCall 20150916
VBA32 20150916
ViRobot 20150916
Zillya 20150916
Zoner 20150916
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
Automatically runs commands or instructions when the file is opened.
May read system environment variables.
May open a file.
May write to a file.
May try to run other files, shell commands or applications.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
creation_datetime
2015-09-16 01:30:00
template
Normal.dotm
page_count
2
last_saved
2015-09-16 11:05:00
word_count
706
revision_number
1
application_name
Microsoft Office Word
character_count
4030
code_page
Latin I
Document summary
line_count
33
characters_with_spaces
4727
version
983040
paragraph_count
9
code_page
-535
OLE Streams
name
Root Entry
clsid
type_literal
root
clsid_literal
on
sid
0
size
8384
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
11175
name
1Table
sid
2
type_literal
stream
size
365005
name
Data
sid
1
type_literal
stream
size
534
name
Macros/PROJECT
sid
17
type_literal
stream
size
89
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
2255
type
macro
name
Macros/VBA/Module1
sid
13
type_literal
stream
size
4979
type
macro
name
Macros/VBA/Module2
sid
14
type_literal
stream
size
7505
type
macro
name
Macros/VBA/ThisDocument
sid
15
type_literal
stream
size
4035
name
Macros/VBA/_VBA_PROJECT
sid
16
type_literal
stream
size
588
name
Macros/VBA/dir
sid
12
type_literal
stream
size
254
name
MsoDataStore/FE0\xc9L\xcdT\xc9\xca\xd4\xcaGQPY0\xd4G\xcc\xc5JA==/Item
sid
8
type_literal
stream
size
341
name
MsoDataStore/FE0\xc9L\xcdT\xc9\xca\xd4\xcaGQPY0\xd4G\xcc\xc5JA==/Properties
sid
9
type_literal
stream
size
42321
name
WordDocument
sid
3
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 3049 bytes
auto-open create-ole obfuscated open-file run-dll write-file
[+] Module1.bas Macros/VBA/Module1 754 bytes
environ
[+] Module2.bas Macros/VBA/Module2 1928 bytes
create-ole obfuscated open-file run-file
ExifTool file metadata
SharedDoc
No

CodePage
Unicode (UTF-8)

LinksUpToDate
No

HeadingPairs
Title, 1, , 1

Template
Normal.dotm

CharCountWithSpaces
4727

CreateDate
2015:09:16 00:30:00

ModifyDate
2015:09:16 10:05:00

TitleOfParts
,

HyperlinksChanged
No

Characters
4030

ScaleCrop
No

RevisionNumber
1

MIMEType
application/msword

Words
706

FileType
DOC

Lines
33

AppVersion
15.0

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
2

FileTypeExtension
doc

Paragraphs
9

File identification
MD5 1939eba53a1289d68d1fb265d80e60a1
SHA1 fa9fdf6999a705d8e5f56cda3bbbc705b25c485c
SHA256 aeb8c585e9fcc35d5470bec8284e59a0a0150114c1f60d106a3b2f284ee6c8b4
ssdeep
12288:H965f42axvzAJ1SbwqlyJTt5hB5vIufW:Z2yvGIAJZF5vn+

File size 445.5 KB ( 456192 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 15 00:30:00 2015, Last Saved Time/Date: Tue Sep 15 10:05:00 2015, Number of Pages: 2, Number of Words: 706, Number of Characters: 4030, Security: 0

TrID Microsoft Word document (35.9%)
Microsoft Excel sheet (33.7%)
Microsoft Word document (old ver.) (21.3%)
Generic OLE2 / Multistream Compound File (8.9%)
Tags
obfuscated open-file auto-open doc run-file macros run-dll environ attachment via-tor write-file create-ole

VirusTotal metadata
First submission 2015-09-16 11:21:40 UTC ( 1 year, 11 months ago )
Last submission 2017-02-22 20:49:20 UTC ( 6 months ago )
File names 1939eba53a1289d68d1fb265d80e60a1.OLE
ReportonTitle7117152.1Final.doc
ReportonTitle9374133.1Final.doc
ReportonTitle4539172.1Final.doc
ReportonTitle6074480.1Final.doc
1939eba53a1289d68d1fb265d80e60a1.malware
ReportonTitle0045168.1Final.doc
ReportonTitle2801631.1Final.doc
af6ee4499051fd9a545d0d0bb552a27f
ReportonTitle9335437.1Final.doc
9322FBCC.doc
ReportonTitle5355033.1Final.doc
ReportonTitle6973731.1Final.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!