× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ea6c955a619f18c3e9a6ad2c7ad2723ae237985451f55d1bb3b7ac6ce55b1523
File name: INVOICEPaid_100114000.xls
Detection ratio: 4 / 54
Analysis date: 2016-01-21 11:59:51 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
Arcabit HEUR.VBA.Trojan.d 20160121
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160121
GData Macro.Trojan-Downloader.Agent.KZ 20160121
Qihoo-360 heur.macro.download.1i 20160121
Ad-Aware 20160121
AegisLab 20160121
Yandex 20160120
AhnLab-V3 20160121
Alibaba 20160121
ALYac 20160121
Antiy-AVL 20160121
Avast 20160121
AVG 20160121
Avira (no cloud) 20160121
Baidu-International 20160121
BitDefender 20160121
Bkav 20160120
ByteHero 20160121
CAT-QuickHeal 20160121
ClamAV 20160121
CMC 20160111
Comodo 20160121
Cyren 20160121
DrWeb 20160121
Emsisoft 20160121
ESET-NOD32 20160121
F-Prot 20160121
Fortinet 20160121
Ikarus 20160121
Jiangmin 20160121
K7AntiVirus 20160121
K7GW 20160121
Kaspersky 20160121
Malwarebytes 20160121
McAfee 20160121
McAfee-GW-Edition 20160121
Microsoft 20160121
eScan 20160121
NANO-Antivirus 20160121
nProtect 20160121
Panda 20160120
Rising 20160121
Sophos AV 20160121
SUPERAntiSpyware 20160121
Symantec 20160120
Tencent 20160121
TheHacker 20160119
TrendMicro 20160121
TrendMicro-HouseCall 20160121
VBA32 20160121
VIPRE 20160121
ViRobot 20160121
Zillya 20160121
Zoner 20160121
The file being studied follows the Compound Document File format! More specifically, it is a MS Excel Spreadsheet file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May create additional files.
May try to run other files, shell commands or applications.
May create OLE objects.
May try to download additional files from the Internet.
Seems to contain deobfuscation code.
Summary
last_author
1
creation_datetime
2015-07-30 06:24:02
author
1
last_saved
2016-01-21 08:59:06
application_name
Microsoft Excel
code_page
Cyrillic
Document summary
version
917504
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020820-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Excel
sid
0
size
9984
type_literal
stream
size
102
name
\x01CompObj
sid
22
type_literal
stream
size
236
name
\x05DocumentSummaryInformation
sid
21
type_literal
stream
size
200
name
\x05SummaryInformation
sid
20
type_literal
stream
size
13218
name
Workbook
sid
1
type_literal
stream
size
621
name
_VBA_PROJECT_CUR/PROJECT
sid
19
type_literal
stream
size
131
name
_VBA_PROJECT_CUR/PROJECTwm
sid
18
type_literal
stream
size
28528
type
macro
name
_VBA_PROJECT_CUR/VBA/Module1
sid
8
type_literal
stream
size
25461
type
macro
name
_VBA_PROJECT_CUR/VBA/Module2
sid
11
type_literal
stream
size
9937
name
_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
sid
14
type_literal
stream
size
1780
name
_VBA_PROJECT_CUR/VBA/__SRP_0
sid
16
type_literal
stream
size
327
name
_VBA_PROJECT_CUR/VBA/__SRP_1
sid
17
type_literal
stream
size
174
name
_VBA_PROJECT_CUR/VBA/__SRP_2
sid
9
type_literal
stream
size
638
name
_VBA_PROJECT_CUR/VBA/__SRP_3
sid
10
type_literal
stream
size
124
name
_VBA_PROJECT_CUR/VBA/__SRP_4
sid
12
type_literal
stream
size
391
name
_VBA_PROJECT_CUR/VBA/__SRP_5
sid
13
type_literal
stream
size
620
name
_VBA_PROJECT_CUR/VBA/dir
sid
15
type_literal
stream
size
976
type
macro (only attributes)
name
_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421
sid
5
type_literal
stream
size
976
type
macro (only attributes)
name
_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422
sid
6
type_literal
stream
size
976
type
macro (only attributes)
name
_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423
sid
7
type_literal
stream
size
1176
type
macro
name
_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430
sid
4
Macros and VBA code streams
[+] Module1.bas _VBA_PROJECT_CUR/VBA/Module1 17093 bytes
create-file open-file write-file
[+] Module2.bas _VBA_PROJECT_CUR/VBA/Module2 14917 bytes
exe-pattern create-file create-ole download obfuscated run-file
ExifTool file metadata
MIMEType
application/vnd.ms-excel

CompObjUserTypeLen
26

CompObjUserType
???? Microsoft Excel 2003

ModifyDate
2016:01:21 07:59:06

TitleOfParts
1, 2, 3

SharedDoc
No

Author
1

FileType
XLS

AppVersion
14.0

LinksUpToDate
No

ScaleCrop
No

LastModifiedBy
1

HeadingPairs
, 3

FileTypeExtension
xls

HyperlinksChanged
No

CreateDate
2015:07:30 05:24:02

Security
None

CodePage
Windows Cyrillic

Software
Microsoft Excel

File identification
MD5 9c7bfadd36d1c8def57016202694c9d4
SHA1 515ab55e620964e8e018251e976fea529b67a3e6
SHA256 ea6c955a619f18c3e9a6ad2c7ad2723ae237985451f55d1bb3b7ac6ce55b1523
ssdeep
1536:WYdvxHlcaQPy0iWYOcG4BDhnxDV8ix/7uDphYHceXVhca+fMHLtyeGxclrdg2OMm:WYdvxHlcaAy0iWYOcG4BDhnxDV8ix/7a

File size 91.5 KB ( 93696 bytes )
File type MS Excel Spreadsheet
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 29 05:24:02 2015, Last Saved Time/Date: Wed Jan 20 07:59:06 2016, Security: 0

TrID Microsoft Excel sheet (78.9%)
Generic OLE2 / Multistream Compound File (21.0%)
Tags
obfuscated open-file exe-pattern create-file run-file macros attachment download write-file xls create-ole

VirusTotal metadata
First submission 2016-01-21 11:22:01 UTC ( 1 year, 10 months ago )
Last submission 2016-10-24 08:04:09 UTC ( 1 year, 1 month ago )
File names 9c7bfadd36d1c8def57016202694c9d4.xls
52700e3224f84561e050732b41587f04
INVOICEPaid_100114000.xls
4980ec4b2e570786702fadbdb756c15d
286989536790-107-0_attach.1.INVOICEPaid_100114000.xls
malware.xls
53641e595faf455443c38591d9642ad2
b395ab6c39cc6e49561371c0ce7b0019
8edc4e5d0ff758663d2526c04a9bb829
e9261f686e8848616fb74c6d97ba6452
20160121_INVOICEPaid_100114000.xls
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!