× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: dcfee39ce42758c20ebc68e804e96c16377645802beccdb2bc240abeabb3f0eb
File name: RBCSecureMessage.doc
Detection ratio: 5 / 55
Analysis date: 2017-02-15 19:33:28 UTC ( 1 month, 1 week ago ) View latest
Antivirus Result Update
AegisLab Macro.Troj.Downloader!c 20170215
Arcabit HEUR.VBA.Trojan.e 20170215
GData Macro.Trojan-Downloader.Agent.VH 20170215
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi 20170215
Rising Macro.Agent.dx (classic) 20170215
Ad-Aware 20170215
AhnLab-V3 20170215
Alibaba 20170215
ALYac 20170215
Antiy-AVL 20170215
Avast 20170215
AVG 20170215
Avira (no cloud) 20170215
AVware 20170215
Baidu 20170215
BitDefender 20170215
Bkav 20170215
CAT-QuickHeal 20170215
ClamAV 20170215
CMC 20170215
Comodo 20170215
CrowdStrike Falcon (ML) 20170130
Cyren 20170215
DrWeb 20170215
Emsisoft 20170215
Endgame 20170208
ESET-NOD32 20170215
F-Prot 20170215
F-Secure 20170215
Fortinet 20170215
Ikarus 20170215
Invincea 20170203
Jiangmin 20170215
K7AntiVirus 20170215
K7GW 20170215
Kaspersky 20170215
Kingsoft 20170215
Malwarebytes 20170215
McAfee 20170215
McAfee-GW-Edition 20170215
Microsoft 20170215
eScan 20170215
nProtect 20170215
Panda 20170215
Qihoo-360 20170215
Sophos 20170215
SUPERAntiSpyware 20170215
Symantec 20170215
Tencent 20170215
TheHacker 20170215
TrendMicro 20170215
TrendMicro-HouseCall 20170215
Trustlook 20170215
VBA32 20170215
VIPRE 20170215
ViRobot 20170215
Webroot 20170215
WhiteArmor 20170215
Yandex 20170215
Zillya 20170215
Zoner 20170215
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May try to run other files, shell commands or applications.
Seems to contain deobfuscation code.
Summary
last_author
Accounting
creation_datetime
2017-02-16 15:36:00
author
LaLka
title
Secure Message
page_count
1
last_saved
2017-02-15 17:43:00
edit_time
540
word_count
52
revision_number
4
application_name
Microsoft Office Word
character_count
297
template
Normal.dotm
code_page
Latin I
subject
Royal Bank Of Canada Website, \ufffd 1995-2014
Document summary
line_count
2
company
RT-TEAM.NET
characters_with_spaces
348
version
1048576
paragraph_count
1
code_page
Latin I
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
13056
type_literal
stream
size
114
name
\x01CompObj
sid
24
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
9242
name
1Table
sid
2
type_literal
stream
size
4096
name
Data
sid
1
type_literal
stream
size
598
name
Macros/PROJECT
sid
17
type_literal
stream
size
95
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
97
name
Macros/UserForm1/\x01CompObj
sid
22
type_literal
stream
size
292
name
Macros/UserForm1/\x03VBFrame
sid
23
type_literal
stream
size
275
name
Macros/UserForm1/f
sid
20
type_literal
stream
size
520
name
Macros/UserForm1/o
sid
21
type_literal
stream
size
2810
type
macro
name
Macros/VBA/Module1
sid
13
type_literal
stream
size
1081
type
macro
name
Macros/VBA/ThisDocument
sid
15
type_literal
stream
size
1751
type
macro
name
Macros/VBA/UserForm1
sid
14
type_literal
stream
size
3486
name
Macros/VBA/_VBA_PROJECT
sid
16
type_literal
stream
size
846
name
Macros/VBA/dir
sid
12
type_literal
stream
size
272
name
MsoDataStore/W\xd6\xda\xd1\xc9\xc1W\xde\xccUWR2U\xde\xc2TAMI\xd0Q==/Item
sid
8
type_literal
stream
size
341
name
MsoDataStore/W\xd6\xda\xd1\xc9\xc1W\xde\xccUWR2U\xde\xc2TAMI\xd0Q==/Properties
sid
9
type_literal
stream
size
4096
name
WordDocument
sid
3
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 29 bytes
[+] Module1.bas Macros/VBA/Module1 826 bytes
obfuscated run-file
[+] UserForm1.frm Macros/VBA/UserForm1 164 bytes
ExifTool file metadata
SharedDoc
No

Author
LaLka

CodePage
Windows Latin 1 (Western European)

LinksUpToDate
No

LastModifiedBy
Accounting

HeadingPairs
Title, 1, , 1

Template
Normal.dotm

CharCountWithSpaces
348

CreateDate
2017:02:16 14:36:00

CompObjUserType
Microsoft Word 97-2003 Document

ModifyDate
2017:02:15 16:43:00

TitleOfParts
,

Company
RT-TEAM.NET

Title
Secure Message

HyperlinksChanged
No

Characters
297

ScaleCrop
No

RevisionNumber
4

MIMEType
application/msword

Words
52

FileType
DOC

Lines
2

AppVersion
16.0

Security
None

Software
Microsoft Office Word

TotalEditTime
9.0 minutes

Pages
1

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
1

Subject
Royal Bank Of Canada Website, 1995-2014

File identification
MD5 a3527618833fef236568ecba05874dbc
SHA1 814c925232db5e62340023675d7cde817495d72b
SHA256 dcfee39ce42758c20ebc68e804e96c16377645802beccdb2bc240abeabb3f0eb
ssdeep
384:0kATwow4yiSsqdg1vA9vQtCE18cDu6xz99xtR3ffMBBZS6/USX0j4R460MhBep:liq+1o9cHDu6xz99Ff6rjz30Mrep

File size 44.0 KB ( 45056 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Secure Message, Subject: Royal Bank Of Canada Website, � 1995-2014, Author: LaLka, Template: Normal.dotm, Last Saved By: Accounting, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 09:00, Create Time/Date: Wed Feb 15 14:36:00 2017, Last Saved Time/Date: Tue Feb 14 16:43:00 2017, Number of Pages: 1, Number of Words: 52, Number of Characters: 297, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated macros run-file attachment doc

VirusTotal metadata
First submission 2017-02-15 17:54:02 UTC ( 1 month, 1 week ago )
Last submission 2017-02-27 12:22:25 UTC ( 4 weeks ago )
File names dcfee39ce42758c20ebc68e804e96c16377645802beccdb2bc240abeabb3f0eb.bin
61b2e6e6c6ac72dc3ec11211a475e882
b3037972cb7ac1f5b4addc405d7d6409
814c925232db5e62340023675d7cde817495d72b.doc
08bb1328a90ddb3e6d664af58cb71d78
RBCSecureMessage 1446.doc
File scan
a3527618833fef236568ecba05874dbc.doc
RBCSecureMessage.doc
0368d24beb56b50660be7e7694d41cb0
RBCSecureMessage.doc
RBCSecureMessage.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!