× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: de30f010d310d1534bbb8865dd954cb3e8a7a37116619775a3f65257e51c5a52
File name: RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
Detection ratio: 5 / 52
Analysis date: 2016-01-28 11:18:55 UTC ( 1 year, 8 months ago ) View latest
Antivirus Result Update
AegisLab Macro.Troj.Downloader!c 20160128
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160128
GData Macro.Trojan-Downloader.Agent.FV 20160128
Qihoo-360 heur.macro.download.cc 20160128
VIPRE Trojan-Downloader.W97M.Adnel.b (v) 20160128
Ad-Aware 20160128
Yandex 20160126
AhnLab-V3 20160128
Alibaba 20160128
ALYac 20160128
Antiy-AVL 20160128
Arcabit 20160128
Avast 20160128
AVG 20160128
Baidu-International 20160128
BitDefender 20160128
Bkav 20160127
ByteHero 20160128
CAT-QuickHeal 20160128
ClamAV 20160128
CMC 20160111
Comodo 20160128
Cyren 20160128
DrWeb 20160128
Emsisoft 20160128
ESET-NOD32 20160128
F-Prot 20160128
Fortinet 20160128
Ikarus 20160128
Jiangmin 20160128
K7AntiVirus 20160128
K7GW 20160128
Kaspersky 20160128
Malwarebytes 20160128
McAfee 20160128
McAfee-GW-Edition 20160128
Microsoft 20160128
eScan 20160128
NANO-Antivirus 20160128
nProtect 20160128
Panda 20160127
Rising 20160128
Sophos AV 20160128
SUPERAntiSpyware 20160128
Symantec 20160127
TheHacker 20160124
TrendMicro 20160128
TrendMicro-HouseCall 20160128
VBA32 20160127
ViRobot 20160128
Zillya 20160128
Zoner 20160128
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Microsoft Office
creation_datetime
2016-01-28 06:44:00
author
Microsoft Office
title
functional
page_count
1
last_saved
2016-01-28 06:44:00
edit_time
60
word_count
1
revision_number
2
application_name
Microsoft Office Word
character_count
10
code_page
Cyrillic
template
Normal.dot
Document summary
line_count
1
company
Microsoft Corporation
characters_with_spaces
10
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7104
type_literal
stream
size
113
name
\x01CompObj
sid
27
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4096
name
1Table
sid
1
type_literal
stream
size
546
name
Macros/PROJECT
sid
26
type_literal
stream
size
95
name
Macros/PROJECTwm
sid
25
type_literal
stream
size
97
name
Macros/UserForm1/\x01CompObj
sid
23
type_literal
stream
size
291
name
Macros/UserForm1/\x03VBFrame
sid
24
type_literal
stream
size
90
name
Macros/UserForm1/f
sid
17
type_literal
stream
size
112
name
Macros/UserForm1/i01/\x01CompObj
sid
22
type_literal
stream
size
145
name
Macros/UserForm1/i01/f
sid
20
type_literal
stream
size
136
name
Macros/UserForm1/i01/o
sid
21
type_literal
stream
size
0
name
Macros/UserForm1/o
sid
18
type_literal
stream
size
33578
type
macro
name
Macros/VBA/Module2
sid
10
type_literal
stream
size
1669
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
1344
type
macro (only attributes)
name
Macros/VBA/UserForm1
sid
11
type_literal
stream
size
8963
name
Macros/VBA/_VBA_PROJECT
sid
12
type_literal
stream
size
4539
name
Macros/VBA/__SRP_0
sid
14
type_literal
stream
size
720
name
Macros/VBA/__SRP_1
sid
15
type_literal
stream
size
264
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
103
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
855
name
Macros/VBA/dir
sid
13
type_literal
stream
size
4142
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 50 bytes
[+] Module2.bas Macros/VBA/Module2 22344 bytes
create-file create-ole obfuscated open-file write-file
ExifTool file metadata
SharedDoc
No

Author
Microsoft Office

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Microsoft Office

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
10

CreateDate
2016:01:28 05:44:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:28 05:44:00

TitleOfParts
functional

Company
Microsoft Corporation

Title
functional

HyperlinksChanged
No

Characters
10

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
1.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 14859471d95b338c8bdda057eab8ce6a
SHA1 c50a97f4b7d00a8001dc318184b6dc9c927d26de
SHA256 de30f010d310d1534bbb8865dd954cb3e8a7a37116619775a3f65257e51c5a52
ssdeep
768:G/UAmqJFBlhTgo4LFD2yfxlaBy91rD5RVpmsAJzYXeuBMrcDt8t+Kpi:lagoyFDraByzrRHOzcMkG+KY

File size 77.0 KB ( 78848 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: functional, Author: Microsoft Office, Template: Normal.dot, Last Saved By: Microsoft Office, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jan 27 05:44:00 2016, Last Saved Time/Date: Wed Jan 27 05:44:00 2016, Number of Pages: 1, Number of Words: 1, Number of Characters: 10, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc create-file macros attachment write-file create-ole

VirusTotal metadata
First submission 2016-01-28 10:04:38 UTC ( 1 year, 8 months ago )
Last submission 2016-05-20 06:41:45 UTC ( 1 year, 4 months ago )
File names RG-6160002-SFLEX-ENERIBA-Burkhart Wil-2016-01-28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc_
MAKROVIRUS.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.blorr.doc
RG-6160002-SFLEX-ENERIBA-Burkhart,XWil-2016-01-28.doc
virus_sample_00411.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.virus
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
suspicious-virus.doc
VIR__RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
1.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
_RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
rg_6160002_sflex_eneriba_burkhart_wil_2016_01_28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart,_Wil-2016-01-28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc
RG-6160002-SFLEX-ENERIBA-Burkhart, Wil-2016-01-28.doc-virus
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!