× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: be65b6dc6d178a8a76f9cee061f180a4439ed6e0a420cf533c1d12ab8397d054
File name: malware.doc
Detection ratio: 6 / 55
Analysis date: 2015-11-26 12:44:31 UTC ( 1 year, 11 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan 20151126
AVware LooksLike.Macro.Malware.h (v) 20151126
McAfee W97M/Dropper.ae 20151126
McAfee-GW-Edition W97M/Dropper.ae 20151126
NANO-Antivirus Trojan.Script.Agent.dytmvr 20151126
VIPRE LooksLike.Macro.Malware.h (v) 20151126
Ad-Aware 20151126
AegisLab 20151126
Yandex 20151125
AhnLab-V3 20151126
Alibaba 20151126
ALYac 20151126
Antiy-AVL 20151126
Avast 20151126
AVG 20151126
Avira (no cloud) 20151126
Baidu-International 20151126
BitDefender 20151126
Bkav 20151126
ByteHero 20151126
CAT-QuickHeal 20151126
ClamAV 20151126
CMC 20151124
Comodo 20151126
Cyren 20151126
DrWeb 20151126
Emsisoft 20151126
ESET-NOD32 20151126
F-Prot 20151126
F-Secure 20151126
Fortinet 20151126
GData 20151126
Ikarus 20151126
Jiangmin 20151125
K7AntiVirus 20151126
K7GW 20151126
Kaspersky 20151126
Malwarebytes 20151126
Microsoft 20151126
eScan 20151126
nProtect 20151126
Panda 20151126
Qihoo-360 20151126
Rising 20151124
Sophos AV 20151126
SUPERAntiSpyware 20151126
Symantec 20151125
Tencent 20151126
TheHacker 20151125
TrendMicro 20151126
TrendMicro-HouseCall 20151126
VBA32 20151125
ViRobot 20151126
Zillya 20151123
Zoner 20151126
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
May try to interact with other applications, for example, by sending key strokes.
Seems to contain deobfuscation code.
Summary
last_author
ZdxXFrwbmZl
creation_datetime
2015-11-21 19:59:00
template
Normal.dotm
author
eKwUN
page_count
1
last_saved
2015-11-22 15:48:00
edit_time
60
word_count
7023
revision_number
3
application_name
Microsoft Office Word
character_count
40035
code_page
Latin I
Document summary
line_count
333
characters_with_spaces
46965
version
983040
paragraph_count
93
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
1600
type_literal
stream
size
114
name
\x01CompObj
sid
13
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
416
name
\x05SummaryInformation
sid
4
type_literal
stream
size
7399
name
1Table
sid
2
type_literal
stream
size
135337
name
Data
sid
1
type_literal
stream
size
376
name
Macros/PROJECT
sid
11
type_literal
stream
size
41
name
Macros/PROJECTwm
sid
12
type_literal
stream
size
31914
type
macro
name
Macros/VBA/ThisDocument
sid
9
type_literal
stream
size
6841
name
Macros/VBA/_VBA_PROJECT
sid
10
type_literal
stream
size
514
name
Macros/VBA/dir
sid
8
type_literal
stream
size
51246
name
WordDocument
sid
3
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 15472 bytes
create-file create-ole environ obfuscated open-file run-dll send-keys write-file
ExifTool file metadata
SharedDoc
No

Author
eKwUN

CodePage
Windows Latin 1 (Western European)

LinksUpToDate
No

LastModifiedBy
ZdxXFrwbmZl

HeadingPairs
Title, 1

Template
Normal.dotm

CharCountWithSpaces
46965

CreateDate
2015:11:21 18:59:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2015:11:22 14:48:00

HyperlinksChanged
No

Characters
40035

ScaleCrop
No

RevisionNumber
3

MIMEType
application/msword

Words
7023

FileType
DOC

Lines
333

AppVersion
15.0

Security
None

Software
Microsoft Office Word

TotalEditTime
1.0 minutes

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
93

File identification
MD5 05cbdad334b7b88aba3f093468cbddca
SHA1 ab98b95e10b63c4f9b6ea930c6625c8086d2e301
SHA256 be65b6dc6d178a8a76f9cee061f180a4439ed6e0a420cf533c1d12ab8397d054
ssdeep
3072:UY8+R/4v7zwGNa4jmBIg48lajXpJDLFOeeo:UGYHk0mwjbpreo

File size 244.0 KB ( 249856 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: eKwUN, Template: Normal.dotm, Last Saved By: ZdxXFrwbmZl, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Fri Nov 20 18:59:00 2015, Last Saved Time/Date: Sat Nov 21 14:48:00 2015, Number of Pages: 1, Number of Words: 7023, Number of Characters: 40035, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file doc create-file macros run-dll environ send-keys write-file create-ole

VirusTotal metadata
First submission 2015-11-26 12:44:31 UTC ( 1 year, 11 months ago )
Last submission 2015-11-30 05:23:50 UTC ( 1 year, 10 months ago )
File names malware.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!