× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e87e18aa8a908a85f4d2c24bdbed6b485479b6a68208f20b54fa013cc120a17c
File name: ResLi_9_Lauf_3261_vom_27.01.2016.DOC
Detection ratio: 1 / 54
Analysis date: 2016-01-27 12:30:08 UTC ( 1 year, 9 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20160127
Ad-Aware 20160127
AegisLab 20160127
Yandex 20160126
AhnLab-V3 20160127
Alibaba 20160127
ALYac 20160127
Antiy-AVL 20160127
Avast 20160127
AVG 20160127
Avira (no cloud) 20160127
Baidu-International 20160127
BitDefender 20160127
Bkav 20160126
ByteHero 20160127
CAT-QuickHeal 20160127
ClamAV 20160127
CMC 20160111
Comodo 20160127
Cyren 20160127
DrWeb 20160127
Emsisoft 20160127
ESET-NOD32 20160127
F-Prot 20160127
F-Secure 20160127
Fortinet 20160127
GData 20160127
Ikarus 20160127
Jiangmin 20160127
K7AntiVirus 20160127
K7GW 20160127
Kaspersky 20160127
Malwarebytes 20160127
McAfee 20160127
McAfee-GW-Edition 20160127
Microsoft 20160127
eScan 20160127
NANO-Antivirus 20160127
nProtect 20160127
Panda 20160126
Qihoo-360 20160127
Rising 20160127
Sophos AV 20160127
SUPERAntiSpyware 20160127
Symantec 20160126
Tencent 20160127
TheHacker 20160124
TrendMicro 20160127
TrendMicro-HouseCall 20160127
VBA32 20160127
VIPRE 20160127
ViRobot 20160127
Zillya 20160127
Zoner 20160127
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
User
creation_datetime
2016-01-27 12:07:00
template
Normal.dot
author
Administrator
page_count
1
last_saved
2016-01-27 12:15:00
edit_time
180
word_count
27
revision_number
7
application_name
Microsoft Office Word
character_count
511
code_page
Cyrillic
Document summary
byte_count
44032
company
characters_with_spaces
525
line_count
14
version
726502
paragraph_count
3
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
9600
type_literal
stream
size
113
name
\x01CompObj
sid
20
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4378
name
1Table
sid
1
type_literal
stream
size
570
name
Macros/PROJECT
sid
19
type_literal
stream
size
116
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
3937
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
4729
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
920
name
Macros/VBA/dir
sid
12
type_literal
stream
size
4557
type
macro
name
Macros/VBA/gull
sid
8
type_literal
stream
size
1829
type
macro
name
Macros/VBA/monegasque
sid
9
type_literal
stream
size
1157
type
macro (only attributes)
name
Macros/VBA/timeball
sid
10
type_literal
stream
size
97
name
Macros/timeball/\x01CompObj
sid
16
type_literal
stream
size
290
name
Macros/timeball/\x03VBFrame
sid
17
type_literal
stream
size
131
name
Macros/timeball/f
sid
14
type_literal
stream
size
96
name
Macros/timeball/o
sid
15
type_literal
stream
size
6190
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 1347 bytes
exe-pattern create-ole obfuscated
[+] gull.bas Macros/VBA/gull 1857 bytes
create-ole obfuscated open-file
[+] monegasque.bas Macros/VBA/monegasque 539 bytes
ExifTool file metadata
SharedDoc
No

Author
Administrator

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
User

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
525

CreateDate
2016:01:27 11:07:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:27 11:15:00

HyperlinksChanged
No

Characters
511

ScaleCrop
No

RevisionNumber
7

MIMEType
application/msword

Words
27

Bytes
44032

FileType
DOC

Lines
14

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
3.0 minutes

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
3

File identification
MD5 40b961bbf0a192050e56f876a93572a1
SHA1 5ce7c56b0520bf82fc32930e65c8381d1a257d61
SHA256 e87e18aa8a908a85f4d2c24bdbed6b485479b6a68208f20b54fa013cc120a17c
ssdeep
384:wzSKu3FUHHlAbaZ6gPA1KKf34ztAakrCgk0+yjXMOR0Z0j8PKm1/pITvT:B3bba7PAlfukNT+3ORgRxk

File size 43.0 KB ( 44032 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1251, Author: Administrator, Template: Normal.dot, Last Saved By: User, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Tue Jan 26 11:07:00 2016, Last Saved Time/Date: Tue Jan 26 11:15:00 2016, Number of Pages: 1, Number of Words: 27, Number of Characters: 511, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file exe-pattern doc macros attachment via-tor create-ole

VirusTotal metadata
First submission 2016-01-27 11:51:40 UTC ( 1 year, 9 months ago )
Last submission 2016-08-26 16:12:30 UTC ( 1 year, 1 month ago )
File names 19875_Rechnung_2016-18637_20151222.doc
19875_Rechnung_2016-18637_20151222.doc
ResLi_9_Lauf_3261_vom_27_01_2016.DOC
virus_sample_02947.doc
19875_Rechnung_2016-18637_20151222-2.doc
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
11_ResLi_9_Lauf_3261_vom_27.01.2016.DOC
virus_sample_3840363946.doc
AV_ResLi_9_Lauf_3261_vom_27.01.2016.DOC
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
5ce7c56b0520bf82fc32930e65c8381d1a257d61.doc
ResLi_9_Lauf_3261_vom_27.01.2016 2.DOC
ResLi_9_Lauf_3261_vom_27.01.2016.DOC_VIRUS_
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
ResLi_9_Lauf_3261_vom_27.01.2016.DOC.VIR
5ae687a6c86e3c117899d2c994b418d454f8dbef
ResLi_9_Lauf_3261_vom_27.01.2016_2.DOC
19875_Rechnung_2016-18637_20151222.doc
MS Word.octet-stream
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
virus_sample_006377.doc
ResLi_9_Lauf_3261_vom_27.01.2016.DOC
infected.DOC
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!