× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e96a81b318493459f104998c0dcf6f89f447529f5c0217088be564367ffd50a7
File name: malware3.doc
Detection ratio: 5 / 55
Analysis date: 2015-11-23 13:23:48 UTC ( 3 years, 6 months ago ) View latest
Antivirus Result Update
Arcabit HEUR(high).VBA.Trojan 20151123
AVware LooksLike.Macro.Malware.g (v) 20151123
Sophos AV Troj/DocDl-ACU 20151123
Tencent Heur.MSWord.Downloader.d 20151123
VIPRE LooksLike.Macro.Malware.g (v) 20151123
Ad-Aware 20151123
AegisLab 20151123
Yandex 20151122
AhnLab-V3 20151122
Alibaba 20151123
ALYac 20151123
Antiy-AVL 20151123
Avast 20151123
AVG 20151123
Avira (no cloud) 20151123
Baidu-International 20151123
BitDefender 20151123
Bkav 20151123
ByteHero 20151123
CAT-QuickHeal 20151123
ClamAV 20151123
CMC 20151118
Comodo 20151123
Cyren 20151123
DrWeb 20151123
Emsisoft 20151123
ESET-NOD32 20151123
F-Prot 20151123
F-Secure 20151123
Fortinet 20151123
GData 20151123
Ikarus 20151123
Jiangmin 20151122
K7AntiVirus 20151123
K7GW 20151123
Kaspersky 20151123
Malwarebytes 20151123
McAfee 20151123
McAfee-GW-Edition 20151123
Microsoft 20151123
eScan 20151123
NANO-Antivirus 20151123
nProtect 20151120
Panda 20151122
Qihoo-360 20151123
Rising 20151122
SUPERAntiSpyware 20151123
Symantec 20151122
TheHacker 20151121
TrendMicro 20151123
TrendMicro-HouseCall 20151123
VBA32 20151120
ViRobot 20151123
Zillya 20151123
Zoner 20151123
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May read system environment variables.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May enumerate open windows.
Seems to contain deobfuscation code.
Seems to contain code to deceive researchers and automatic analysis systems.
Summary
last_author
1
creation_datetime
2015-11-23 07:22:00
template
Normal
author
1
page_count
1
last_saved
2015-11-23 13:43:00
edit_time
720
revision_number
32
application_name
Microsoft Office Word
code_page
Cyrillic
Document summary
company
Home
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
2880
type_literal
stream
size
114
name
\x01CompObj
sid
15
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
7568
name
1Table
sid
1
type_literal
stream
size
511
name
Macros/PROJECT
sid
14
type_literal
stream
size
113
name
Macros/PROJECTwm
sid
13
type_literal
stream
size
10908
type
macro
name
Macros/VBA/Module1
sid
8
type_literal
stream
size
14242
type
macro
name
Macros/VBA/Module2
sid
9
type_literal
stream
size
18730
type
macro
name
Macros/VBA/Module3
sid
10
type_literal
stream
size
1419
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
6169
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
618
name
Macros/VBA/dir
sid
12
type_literal
stream
size
4096
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 132 bytes
[+] Module1.bas Macros/VBA/Module1 5948 bytes
create-ole open-file write-file
[+] Module2.bas Macros/VBA/Module2 7911 bytes
exe-pattern url-pattern create-file create-ole obfuscated open-file
[+] Module3.bas Macros/VBA/Module3 10551 bytes
exe-pattern anti-analysis create-ole enum-windows environ obfuscated open-file run-file
ExifTool file metadata
SharedDoc
No

Author
1

HyperlinksChanged
No

LinksUpToDate
No

LastModifiedBy
1

HeadingPairs
, 1

Template
Normal

CharCountWithSpaces
0

CreateDate
2015:11:23 06:22:00

CompObjUserType
???????? Microsoft Word 97-2003

ModifyDate
2015:11:23 12:43:00

Company
Home

Characters
0

CodePage
Windows Cyrillic

RevisionNumber
32

MIMEType
application/msword

Words
0

FileType
DOC

Lines
0

AppVersion
14.0

Security
None

Software
Microsoft Office Word

TotalEditTime
12.0 minutes

Pages
1

ScaleCrop
No

CompObjUserTypeLen
32

FileTypeExtension
doc

Paragraphs
0

File identification
MD5 3e25ba0c709f1b9e399e228d302dd732
SHA1 f2cb1d86e5a4f889d121707acbf5dd2524f11b7a
SHA256 e96a81b318493459f104998c0dcf6f89f447529f5c0217088be564367ffd50a7
ssdeep
1536:Zzs4GtWkyUX/Ma8OjeDi4nKW3FiFxdN13:CftWkyUX/Ma8OjZW1iFx1

File size 76.5 KB ( 78336 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 32, Name of Creating Application: Microsoft Office Word, Total Editing Time: 12:00, Create Time/Date: Sun Nov 22 06:22:00 2015, Last Saved Time/Date: Sun Nov 22 12:43:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0

TrID Microsoft Word document (54.2%)
Microsoft Word document (old ver.) (32.2%)
Generic OLE2 / Multistream Compound File (13.5%)
Tags
obfuscated open-file enum-windows exe-pattern url-pattern create-file run-file macros environ doc write-file anti-analysis create-ole

VirusTotal metadata
First submission 2015-11-23 13:11:18 UTC ( 3 years, 6 months ago )
Last submission 2015-11-24 19:10:30 UTC ( 3 years, 6 months ago )
File names b2cea9747ac756977101e3093183ec7c
7454fbef663ab0c5ba5612dd68ddbeba
c82c22df94799861fb579e7a89ee4ece
eab04081220c7175a82663d4bd89b44a
a83dea0c3e618053f40fb3f5f051ace0
988271023-PRCL.doc
56e2ee9e3ee09baa02c287b758f6516b
malware3.doc
3b09efe7bed9807c936dcb0aeb256f3c
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!