× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b57d4554cc35824d9c0f1476d9afdafd1a1f5adc0b247ee3ea2c943d56ed1da6
File name: e56a57acf528b8cd340ae039519d5150.doc
Detection ratio: 38 / 57
Analysis date: 2016-03-24 16:29:36 UTC ( 1 year, 4 months ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.Agent.BPTV 20160324
AegisLab Troj.Agent.Bptv!c 20160324
AhnLab-V3 W97M/Agent 20160324
ALYac Trojan.Agent.BPTV 20160324
Antiy-AVL Trojan[Dropper]/MSWord.Agent.kd 20160324
Arcabit HEUR.VBA.Trojan.d 20160324
Avast VBA:Downloader-AFY [Trj] 20160324
AVG W97M/Downloader.AI 20160324
Avira (no cloud) W2000M/Adnel.A 20160324
AVware LooksLike.Macro.Malware.m (v) 20160324
Baidu VBA.Trojan-Dropper.Agent.ee 20160324
BitDefender Trojan.Agent.BPTV 20160324
CAT-QuickHeal W97M.Dropper.SY 20160323
Comodo UnclassifiedMalware 20160324
Cyren W97M/DropExe 20160324
DrWeb W97M.Dropper.5 20160324
Emsisoft Trojan.Agent.BPTV (B) 20160324
ESET-NOD32 VBA/TrojanDropper.Agent.EW 20160324
F-Prot New or modified W97M/DropExe 20160324
F-Secure Trojan-Dropper:W97M/MaliciousDoc.A 20160324
Fortinet WM/Agent!tr 20160324
GData Trojan.Agent.BPTV 20160324
Ikarus Trojan-Dropper.VBA.Agent 20160324
Kaspersky Trojan-Dropper.MSWord.Agent.kd 20160324
McAfee W97M/Dropper.ao 20160324
McAfee-GW-Edition W97M/Dropper.ao 20160324
Microsoft TrojanDropper:O97M/Vawtrak 20160324
eScan Trojan.Agent.BPTV 20160324
NANO-Antivirus Trojan.Ole2.Adnel.dzwqip 20160324
nProtect Trojan.Agent.BPTV 20160324
Panda O97M/Downloader 20160324
Qihoo-360 virus.office.obfuscated.1 20160324
Sophos AV Troj/DocDl-ASW 20160324
Symantec W97M.Downloader 20160324
Tencent Win32.Trojan.Adnel.Ajli 20160324
TrendMicro W2KM_FAREIT.VSXC 20160324
TrendMicro-HouseCall W2KM_FAREIT.VSXC 20160324
VIPRE LooksLike.Macro.Malware.m (v) 20160324
Yandex 20160316
Alibaba 20160323
Baidu-International 20160324
Bkav 20160324
ByteHero 20160324
ClamAV 20160324
CMC 20160322
Jiangmin 20160324
K7AntiVirus 20160324
K7GW 20160323
Malwarebytes 20160324
Rising 20160324
SUPERAntiSpyware 20160324
TheHacker 20160324
TotalDefense 20160324
VBA32 20160324
ViRobot 20160324
Zillya 20160324
Zoner 20160324
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May try to run other files, shell commands or applications.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
User
creation_datetime
2016-01-14 12:41:00
author
User
title
RSA Encryption
page_count
2
last_saved
2016-01-14 13:02:00
edit_time
300
word_count
656
revision_number
20
application_name
Microsoft Office Word
character_count
3742
code_page
Cyrillic
template
Normal.dot
Document summary
line_count
31
characters_with_spaces
4390
version
726502
paragraph_count
8
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
6272
type_literal
stream
sid
19
name
\x01CompObj
size
113
type_literal
stream
sid
4
name
\x05DocumentSummaryInformation
size
4096
type_literal
stream
sid
3
name
\x05SummaryInformation
size
4096
type_literal
stream
sid
1
name
1Table
size
4163
type_literal
stream
sid
15
name
Macros/Fire/\x01CompObj
size
97
type_literal
stream
sid
16
name
Macros/Fire/\x03VBFrame
size
297
type_literal
stream
sid
13
name
Macros/Fire/f
size
142
type_literal
stream
sid
14
name
Macros/Fire/o
size
434324
type_literal
stream
sid
18
name
Macros/PROJECT
size
522
type_literal
stream
sid
17
name
Macros/PROJECTwm
size
80
type_literal
stream
sid
9
type
macro (only attributes)
name
Macros/VBA/Fire
size
1152
type_literal
stream
sid
7
type
macro
name
Macros/VBA/ThisDocument
size
2744
type_literal
stream
sid
10
name
Macros/VBA/_VBA_PROJECT
size
4428
type_literal
stream
sid
11
name
Macros/VBA/dir
size
851
type_literal
stream
sid
8
type
macro
name
Macros/VBA/saxhorn
size
5877
type_literal
stream
sid
2
name
WordDocument
size
40785
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 940 bytes
[+] saxhorn.bas Macros/VBA/saxhorn 2475 bytes
exe-pattern create-ole handle-file obfuscated open-file run-file write-file
ExifTool file metadata
SharedDoc
No

Author
User

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
User

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
4390

CreateDate
2016:01:14 11:41:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:14 12:02:00

TitleOfParts
RSA Encryption

Title
RSA Encryption

HyperlinksChanged
No

Characters
3742

ScaleCrop
No

RevisionNumber
20

MIMEType
application/msword

Words
656

FileType
DOC

Lines
31

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
5.0 minutes

Pages
2

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
8

File identification
MD5 e56a57acf528b8cd340ae039519d5150
SHA1 54e0d47d48d42e736117c0a309a95792438572d9
SHA256 b57d4554cc35824d9c0f1476d9afdafd1a1f5adc0b247ee3ea2c943d56ed1da6
ssdeep
6144:66Y22xuVjsP/Pgi8tds1dQm/EOLBQWhCVzVxbLueU8oCLDpKh:i2LV4YiQdsEm8+hh2/bKUo9

File size 501.5 KB ( 513536 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Title: RSA Encryption, Author: User, Template: Normal.dot, Last Saved By: User, Revision Number: 20, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Wed Jan 13 11:41:00 2016, Last Saved Time/Date: Wed Jan 13 12:02:00 2016, Number of Pages: 2, Number of Words: 656, Number of Characters: 3742, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern handle-file doc run-file macros write-file create-ole

VirusTotal metadata
First submission 2016-01-14 14:51:26 UTC ( 1 year, 6 months ago )
Last submission 2016-06-09 13:36:03 UTC ( 1 year, 1 month ago )
File names e56a57acf528b8cd340ae039519d5150.doc
account.doc
account (1).doc
account.doc.malware
hxxp:++www.newbeginningsari.org.au+wp-content+plugins+account.doc-2016-01-15.18-25.txt
Unconfirmed 605154.crdownload
accounts.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!