× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b0d47b1815494206a4e35a414caf17c39f8ce4677e563485e89ddbfee726d015
File name: 583778ea50e163af2a1ad02422736f2d_030815121220062_1_.doc
Detection ratio: 41 / 56
Analysis date: 2016-08-17 02:26:58 UTC ( 1 year, 2 months ago )
Antivirus Result Update
Ad-Aware Trojan.Msword.NSD 20160817
AegisLab Troj.Downloader.Msword!c 20160816
AhnLab-V3 W97M/Downloader 20160816
ALYac Trojan.Msword.NSD 20160816
Antiy-AVL Trojan[Downloader]/MSWord.Agent.ql 20160817
Arcabit HEUR.VBA.Trojan.d 20160817
Avast VBA:Downloader-JN [Trj] 20160817
AVG Downloader.Generic_c.KYO 20160817
Avira (no cloud) WM/Agent.3215 20160816
AVware LooksLike.Macro.Malware.g (v) 20160817
Baidu VBA.Trojan-Downloader.Agent.gn 20160816
BitDefender Trojan.Msword.NSD 20160817
CAT-QuickHeal W97M.Dropper.GO 20160816
Comodo UnclassifiedMalware 20160816
Cyren W97M/Donoff 20160817
DrWeb W97M.DownLoader.541 20160817
Emsisoft Trojan.Msword.NSD (B) 20160817
ESET-NOD32 VBA/TrojanDownloader.Agent.ZN 20160817
F-Prot New or modified W97M/Donoff 20160817
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160817
Fortinet WM/Agent!tr 20160817
GData Trojan.Msword.NSD 20160817
Ikarus Trojan-Downloader.VBA.Agent 20160816
Jiangmin WM/Downloader.Agent.qe 20160817
Kaspersky Trojan-Downloader.MSWord.Agent.ql 20160817
McAfee W97M/Downloader.all 20160817
McAfee-GW-Edition W97M/Downloader.all 20160816
Microsoft TrojanDownloader:O97M/Donoff 20160817
eScan Trojan.Msword.NSD 20160817
NANO-Antivirus Trojan.Script.PDF.dzxkwm 20160817
nProtect Trojan.Msword.NSD 20160812
Panda W97M/Downloader 20160816
Qihoo-360 heur.macro.encodefeature.c 20160817
Rising Heur.Macro.Downloader.e 20160817
Sophos AV Troj/DocDl-WH 20160816
Symantec W97M.Downloader 20160817
Tencent Word.Trojan-downloader.Agent.Suxr 20160817
TrendMicro W2KM_DRIDEX.SYN 20160817
TrendMicro-HouseCall W2KM_DRIDEX.SYN 20160817
VIPRE LooksLike.Macro.Malware.g (v) 20160817
ViRobot W97M.S.Downloader.102400.B[h] 20160816
Alibaba 20160816
Bkav 20160816
ClamAV 20160817
CMC 20160816
K7AntiVirus 20160816
K7GW 20160817
Kingsoft 20160817
Malwarebytes 20160817
SUPERAntiSpyware 20160817
TheHacker 20160816
TotalDefense 20160817
VBA32 20160816
Yandex 20160816
Zillya 20160816
Zoner 20160816
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May copy a file.
May create additional files.
May attempt to create directories.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2015-08-05 07:32:00
template
Normal
author
1
page_count
1
last_saved
2015-08-05 07:34:00
edit_time
120
revision_number
3
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
company
Home
version
786432
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
17408
type_literal
stream
size
121
name
\x01CompObj
sid
23
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
8347
name
1Table
sid
1
type_literal
stream
size
509
name
Macros/PROJECT
sid
22
type_literal
stream
size
113
name
Macros/PROJECTwm
sid
21
type_literal
stream
size
4056
type
macro
name
Macros/VBA/Module1
sid
13
type_literal
stream
size
17408
type
macro
name
Macros/VBA/Module2
sid
10
type_literal
stream
size
33487
type
macro
name
Macros/VBA/Module3
sid
14
type_literal
stream
size
2119
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
6346
name
Macros/VBA/_VBA_PROJECT
sid
17
type_literal
stream
size
2367
name
Macros/VBA/__SRP_0
sid
19
type_literal
stream
size
364
name
Macros/VBA/__SRP_1
sid
20
type_literal
stream
size
432
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
149
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
3068
name
Macros/VBA/__SRP_4
sid
15
type_literal
stream
size
570
name
Macros/VBA/__SRP_5
sid
16
type_literal
stream
size
2274
name
Macros/VBA/__SRP_6
sid
11
type_literal
stream
size
352
name
Macros/VBA/__SRP_7
sid
12
type_literal
stream
size
617
name
Macros/VBA/dir
sid
18
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 83 bytes
[+] Module2.bas Macros/VBA/Module2 9973 bytes
copy-file create-file obfuscated open-file
[+] Module1.bas Macros/VBA/Module1 2686 bytes
copy-file
[+] Module3.bas Macros/VBA/Module3 23403 bytes
copy-file create-dir create-ole handle-file obfuscated open-file write-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:08:05 06:32:00

CompObjUserType
???????? Microsoft Office Word 97-2003

ModifyDate
2015:08:05 06:34:00

Company
Home

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
3

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
12.0

Security
None

Software
Microsoft Office Word

TotalEditTime
2.0 minutes

Pages
1

CompObjUserTypeLen
39

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 583778ea50e163af2a1ad02422736f2d
SHA1 ab8c1a909cca61b142dc9a256cbaea8ff64f3963
SHA256 b0d47b1815494206a4e35a414caf17c39f8ce4677e563485e89ddbfee726d015
ssdeep
3072:dF56i0+SXzG8UGdybIy6FjlT+9T9OQwsgffJdG2LeZ12M5xyT3:dF2ZeZ1H/

File size 100.0 KB ( 102400 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Tue Aug 04 06:32:00 2015, Last Saved Time/Date: Tue Aug 04 06:34:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file create-dir handle-file doc copy-file create-file macros via-tor write-file create-ole

VirusTotal metadata
First submission 2015-08-05 08:58:24 UTC ( 2 years, 2 months ago )
Last submission 2016-08-17 02:26:58 UTC ( 1 year, 2 months ago )
File names f07926890f4a2a5916c3e9d901dc0753
583778ea50e163af2a1ad02422736f2d_030815121220062_1_.doc
8c15dfdffa9e88c7e357b15070542a5f
7a7d36869ca9d56c2260f2d10c622f8a
030815121220062.doc
f6da9ebbe6788e41300d59ca4c035e6c
dae24675fcbb8ee97bd489000ed6fab4
583778ea50e163af2a1ad02422736f2d.OLE
22072d67986c2a5688b27949a11115c4
cda5b29a61d6d76e086c0af00cc958c4
VIR-Accumentia Booking (16-9-15).doc
c79b0f91fe54f12e93e903a9250c1d41
38e192a3cc5325edb32d7ab188c974cb
da9269e278b1d3beb8aac5b42c847486
8191ff42f6cbaf6960c89724c5180d6f
4489f86667a456eb93c0becedcfca2fe
Accumentia Booking (16-9-15).doc
29547f646da6df4930bb86fdfeb3be3a
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!