× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d7cefbfcfc5af2529683b156f7afe5c88cac653009f9b30fd7663f9a27dabcc3
File name: 9210-01.doc
Detection ratio: 2 / 53
Analysis date: 2016-01-27 13:56:32 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20160127
Fortinet WM/TrojanDownloader.4D52!tr 20160127
Ad-Aware 20160127
AegisLab 20160127
Yandex 20160126
AhnLab-V3 20160127
Alibaba 20160127
ALYac 20160127
Antiy-AVL 20160127
Avast 20160127
AVG 20160127
Avira (no cloud) 20160127
Baidu-International 20160127
BitDefender 20160127
Bkav 20160127
ByteHero 20160127
CAT-QuickHeal 20160127
ClamAV 20160127
CMC 20160111
Comodo 20160127
Cyren 20160127
DrWeb 20160127
Emsisoft 20160127
ESET-NOD32 20160127
F-Prot 20160127
F-Secure 20160127
GData 20160127
Ikarus 20160127
Jiangmin 20160127
K7AntiVirus 20160127
K7GW 20160127
Kaspersky 20160127
Malwarebytes 20160127
McAfee 20160127
McAfee-GW-Edition 20160127
Microsoft 20160127
eScan 20160127
NANO-Antivirus 20160127
nProtect 20160127
Panda 20160126
Qihoo-360 20160127
Rising 20160127
Sophos AV 20160127
SUPERAntiSpyware 20160127
Symantec 20160126
TheHacker 20160124
TrendMicro 20160127
TrendMicro-HouseCall 20160127
VBA32 20160127
VIPRE 20160127
ViRobot 20160127
Zillya 20160127
Zoner 20160127
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
User
creation_datetime
2016-01-27 10:18:00
template
Normal.dot
author
Administrator
page_count
1
last_saved
2016-01-27 13:23:00
edit_time
60
word_count
79
revision_number
3
application_name
Microsoft Office Word
character_count
455
code_page
Cyrillic
Document summary
byte_count
11000
company
characters_with_spaces
533
line_count
3
version
726502
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
9664
type_literal
stream
size
113
name
\x01CompObj
sid
20
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4498
name
1Table
sid
1
type_literal
stream
size
539
name
Macros/PROJECT
sid
19
type_literal
stream
size
95
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
3892
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
4744
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
5211
type
macro
name
Macros/VBA/alvine
sid
8
type_literal
stream
size
2058
type
macro
name
Macros/VBA/buyer
sid
9
type_literal
stream
size
895
name
Macros/VBA/dir
sid
12
type_literal
stream
size
1153
type
macro (only attributes)
name
Macros/VBA/linn
sid
10
type_literal
stream
size
97
name
Macros/linn/\x01CompObj
sid
16
type_literal
stream
size
288
name
Macros/linn/\x03VBFrame
sid
17
type_literal
stream
size
98
name
Macros/linn/f
sid
14
type_literal
stream
size
112
name
Macros/linn/o
sid
15
type_literal
stream
size
6190
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 1338 bytes
exe-pattern create-ole obfuscated
[+] alvine.bas Macros/VBA/alvine 2219 bytes
create-ole obfuscated open-file
[+] buyer.bas Macros/VBA/buyer 628 bytes
ExifTool file metadata
SharedDoc
No

Author
Administrator

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
User

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
533

CreateDate
2016:01:27 09:18:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:27 12:23:00

HyperlinksChanged
No

Characters
455

ScaleCrop
No

RevisionNumber
3

MIMEType
application/msword

Words
79

Bytes
11000

FileType
DOC

Lines
3

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
1.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 be406a550e2a36c51a4d40222a81caf8
SHA1 e8de1fde042a27fd2b4f5b7f347f8aef4eeb2fd9
SHA256 d7cefbfcfc5af2529683b156f7afe5c88cac653009f9b30fd7663f9a27dabcc3
ssdeep
384:wv6tSKDpsYHHHlS3mKVnbb+bzAqC4tbTbB5mJAA2LEPiZ0j2B2RFPV:C6Np9lrQbjVgfB4AAxPeF2J

File size 44.0 KB ( 45056 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Administrator, Template: Normal.dot, Last Saved By: User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Jan 26 09:18:00 2016, Last Saved Time/Date: Tue Jan 26 12:23:00 2016, Number of Pages: 1, Number of Words: 79, Number of Characters: 455, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern doc macros attachment create-ole

VirusTotal metadata
First submission 2016-01-27 13:19:33 UTC ( 1 year, 10 months ago )
Last submission 2016-01-30 01:43:10 UTC ( 1 year, 9 months ago )
File names feefdbf25b74fae84984cfb66a97f712
71453e70852ac5a15c8c1e9ae66da8c7
9210-01.doc
4d9288c185c2acca638ff0aa7e4bb6e5
7d90aa6ca7452e02faeb6097ab07f3ee
040aa18b99ec9fcebd3a9fbcef72a006
9210.doc
7e62412b8b3e72e8bd722e431e048ae5
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!