× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d2a4c536d271fb9a636c0e820787e428994cf58fe8cac988ef190fc94889a994
File name: 8e2f6ab95628fa0e3e8c7d61ec6659e0
Detection ratio: 40 / 57
Analysis date: 2017-04-08 21:58:15 UTC ( 4 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware W97M.Downloader.QB 20170409
AegisLab Troj.Downloader.Vbs.Agent!c 20170408
AhnLab-V3 W97M/Downloader 20170408
ALYac W97M.Downloader.QB 20170409
Antiy-AVL Trojan[Downloader]/VBS.Agent.amh 20170408
Arcabit HEUR.VBA.Trojan.d 20170407
Avast MO97:Downloader-TY [Trj] 20170408
AVG Script/PDF.Exploit.C 20170408
Avira (no cloud) W2000M/Agent.073338 20170408
AVware LooksLike.Macro.Malware.gen!d5 (v) 20170408
Baidu VBA.Trojan-Downloader.Agent.do 20170406
BitDefender W97M.Downloader.QB 20170408
CAT-QuickHeal W97M.Dropper.EY 20170407
ClamAV Doc.Macro.Generic-5900096-0 20170408
Cyren W97M/Downloader.CI 20170408
DrWeb W97M.DownLoader.326 20170408
Emsisoft W97M.Downloader.QB (B) 20170408
ESET-NOD32 VBA/TrojanDownloader.Agent.PC 20170408
F-Prot W97M/Downloader.CI 20170408
F-Secure Trojan-Downloader:W97M/Dridex.R 20170408
Fortinet WM/Agent.PC!tr 20170408
GData Macro.Trojan-Downloader.Agent.EB@gen 20170408
Ikarus Trojan-Downloader.VBA.Agent 20170408
Kaspersky Trojan-Downloader.VBS.Agent.amh 20170408
McAfee W97M/Downloader.agm 20170408
McAfee-GW-Edition W97M/Downloader.agm 20170408
Microsoft TrojanDownloader:W97M/Adnel.D 20170408
eScan W97M.Downloader.QB 20170408
NANO-Antivirus Trojan.Script.Agent.druync 20170408
Panda W97M/Downloader 20170408
Qihoo-360 virus.office.obfuscated.1 20170409
Rising Macro.Downloader.s (classic) 20170408
Sophos AV Troj/DocDl-MJ 20170408
Symantec W97M.Downloader 20170408
Tencent Vbs.Trojan-downloader.Agent.Lork 20170409
TrendMicro W2KM_DLOADR.JCZ 20170408
TrendMicro-HouseCall W2KM_DLOADR.JCZ 20170409
VIPRE LooksLike.Macro.Malware.gen!d5 (v) 20170409
ViRobot DOC.Z.Agent.70656.U[h] 20170408
ZoneAlarm by Check Point Trojan-Downloader.VBS.Agent.amh 20170409
Alibaba 20170407
Bkav 20170408
CMC 20170408
Comodo 20170408
CrowdStrike Falcon (ML) 20170130
Endgame 20170407
Sophos ML 20170203
Jiangmin 20170408
K7AntiVirus 20170408
K7GW 20170408
Kingsoft 20170409
Malwarebytes 20170408
nProtect 20170408
Palo Alto Networks (Known Signatures) 20170409
SentinelOne (Static ML) 20170330
SUPERAntiSpyware 20170408
Symantec Mobile Insight 20170406
TheHacker 20170406
TotalDefense 20170408
Trustlook 20170409
VBA32 20170407
Webroot 20170409
WhiteArmor 20170327
Yandex 20170406
Zillya 20170407
Zoner 20170408
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May perform operations with other files.
May create OLE objects.
May execute code from Dynamically Linked Libraries.
Seems to contain deobfuscation code.
Summary
last_author
GN
creation_datetime
2015-04-24 10:17:00
template
Normal.dot
author
1
page_count
1
last_saved
2015-04-24 10:17:00
revision_number
2
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
line_count
1
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
11264
type_literal
stream
size
113
name
\x01CompObj
sid
19
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4124
name
1Table
sid
1
type_literal
stream
size
740
name
Macros/PROJECT
sid
18
type_literal
stream
size
182
name
Macros/PROJECTwm
sid
17
type_literal
stream
size
4340
type
macro
name
Macros/VBA/AMOS
sid
14
type_literal
stream
size
6016
type
macro
name
Macros/VBA/CLAY
sid
9
type_literal
stream
size
4960
type
macro
name
Macros/VBA/CORNELIUS
sid
11
type_literal
stream
size
3220
type
macro
name
Macros/VBA/DEXTER
sid
13
type_literal
stream
size
5854
type
macro
name
Macros/VBA/LAMAR
sid
12
type_literal
stream
size
3706
type
macro
name
Macros/VBA/PERCY
sid
8
type_literal
stream
size
6529
type
macro
name
Macros/VBA/ROLANDO
sid
10
type_literal
stream
size
2095
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
8176
name
Macros/VBA/_VBA_PROJECT
sid
15
type_literal
stream
size
1062
name
Macros/VBA/dir
sid
16
type_literal
stream
size
4151
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 84 bytes
[+] PERCY.bas Macros/VBA/PERCY 665 bytes
exe-pattern create-ole open-file run-dll
[+] CLAY.bas Macros/VBA/CLAY 1301 bytes
exe-pattern run-dll
[+] ROLANDO.bas Macros/VBA/ROLANDO 1738 bytes
handle-file open-file write-file
[+] CORNELIUS.bas Macros/VBA/CORNELIUS 889 bytes
exe-pattern obfuscated run-dll
[+] LAMAR.bas Macros/VBA/LAMAR 1442 bytes
exe-pattern run-dll
[+] DEXTER.bas Macros/VBA/DEXTER 620 bytes
create-ole
[+] AMOS.bas Macros/VBA/AMOS 746 bytes
exe-pattern run-dll
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
GN

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
0

CreateDate
2015:04:24 09:17:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2015:04:24 09:17:00

HyperlinksChanged
No

Characters
0

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
0

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 ab8401a01ac23ee85f768b50290dcb46
SHA1 115fe1409c72ba93060c564c9583929d9483324c
SHA256 d2a4c536d271fb9a636c0e820787e428994cf58fe8cac988ef190fc94889a994
ssdeep
768:9ZTQgKc5vlhV7hTSKL6mUtb2aTe4CHhGEwQzNqZVs:75KcNlkKLg2YGNU

File size 69.0 KB ( 70656 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal.dot, Last Saved By: GN, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 23 09:17:00 2015, Last Saved Time/Date: Thu Apr 23 09:17:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern handle-file doc macros run-dll write-file create-ole

VirusTotal metadata
First submission 2015-04-24 09:44:50 UTC ( 2 years, 4 months ago )
Last submission 2015-05-01 22:30:05 UTC ( 2 years, 3 months ago )
File names 8e2f6ab95628fa0e3e8c7d61ec6659e0
Western_Order.doc
a5209723483fdc082219fb49699b7171
Western Order.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!