× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f4b65dc842ba7353e4b13211f5474d0841ef98152f1c9ab208681b25365d775e
File name: doc4502094035-01.doc
Detection ratio: 5 / 54
Analysis date: 2016-01-27 09:35:31 UTC ( 1 year, 10 months ago ) View latest
Antivirus Result Update
AegisLab Macro.Gen!c 20160127
Avira (no cloud) HEUR/Macro.Downloader 20160127
F-Secure Trojan:W97M/MaliciousMacro.GEN 20160127
Qihoo-360 heur.macro.download.cc 20160127
VIPRE Trojan-Downloader.W97M.Adnel.b (v) 20160127
Ad-Aware 20160127
Yandex 20160126
AhnLab-V3 20160127
Alibaba 20160127
ALYac 20160127
Antiy-AVL 20160127
Arcabit 20160127
Avast 20160127
AVG 20160127
Baidu-International 20160127
BitDefender 20160127
Bkav 20160126
ByteHero 20160127
CAT-QuickHeal 20160127
ClamAV 20160127
CMC 20160111
Comodo 20160127
Cyren 20160127
DrWeb 20160127
Emsisoft 20160127
ESET-NOD32 20160127
F-Prot 20160127
Fortinet 20160127
GData 20160127
Ikarus 20160127
Jiangmin 20160127
K7AntiVirus 20160127
K7GW 20160127
Kaspersky 20160127
Malwarebytes 20160127
McAfee 20160127
McAfee-GW-Edition 20160127
Microsoft 20160127
eScan 20160127
NANO-Antivirus 20160127
nProtect 20160126
Panda 20160126
Rising 20160127
Sophos AV 20160127
SUPERAntiSpyware 20160127
Symantec 20160126
Tencent 20160127
TheHacker 20160124
TrendMicro 20160127
TrendMicro-HouseCall 20160127
VBA32 20160126
ViRobot 20160127
Zillya 20160126
Zoner 20160127
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May write to a file.
May copy a file.
May create additional files.
May create OLE objects.
Seems to contain deobfuscation code.
Summary
last_author
Microsoft Office
creation_datetime
2016-01-26 20:44:00
author
1
title
Function
page_count
1
last_saved
2016-01-26 20:44:00
word_count
1
revision_number
2
application_name
Microsoft Office Word
character_count
8
code_page
Cyrillic
template
Normal.dot
Document summary
line_count
1
company
Home
characters_with_spaces
8
version
730895
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
7552
type_literal
stream
size
113
name
\x01CompObj
sid
23
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
4
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
3
type_literal
stream
size
4096
name
1Table
sid
1
type_literal
stream
size
534
name
Macros/PROJECT
sid
22
type_literal
stream
size
95
name
Macros/PROJECTwm
sid
21
type_literal
stream
size
97
name
Macros/UserForm1/\x01CompObj
sid
19
type_literal
stream
size
291
name
Macros/UserForm1/\x03VBFrame
sid
20
type_literal
stream
size
314
name
Macros/UserForm1/f
sid
17
type_literal
stream
size
364
name
Macros/UserForm1/o
sid
18
type_literal
stream
size
37256
type
macro
name
Macros/VBA/Module2
sid
10
type_literal
stream
size
1279
type
macro
name
Macros/VBA/ThisDocument
sid
7
type_literal
stream
size
1159
type
macro (only attributes)
name
Macros/VBA/UserForm1
sid
11
type_literal
stream
size
5893
name
Macros/VBA/_VBA_PROJECT
sid
12
type_literal
stream
size
1553
name
Macros/VBA/__SRP_0
sid
14
type_literal
stream
size
110
name
Macros/VBA/__SRP_1
sid
15
type_literal
stream
size
264
name
Macros/VBA/__SRP_2
sid
8
type_literal
stream
size
103
name
Macros/VBA/__SRP_3
sid
9
type_literal
stream
size
852
name
Macros/VBA/dir
sid
13
type_literal
stream
size
4142
name
WordDocument
sid
2
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 46 bytes
[+] Module2.bas Macros/VBA/Module2 20953 bytes
copy-file create-file create-ole obfuscated open-file write-file
ExifTool file metadata
SharedDoc
No

Author
1

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Microsoft Office

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
8

CreateDate
2016:01:26 19:44:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:01:26 19:44:00

TitleOfParts
Function

Company
Home

Title
Function

HyperlinksChanged
No

Characters
8

ScaleCrop
No

RevisionNumber
2

MIMEType
application/msword

Words
1

FileType
DOC

Lines
1

AppVersion
11.9999

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 c0432b0c6d776940897ac2f8eac2fe73
SHA1 66750023eb063f876f1a2e6e3013683313636cfc
SHA256 f4b65dc842ba7353e4b13211f5474d0841ef98152f1c9ab208681b25365d775e
ssdeep
768:WjdGPyj8bOTA35PGMVr3iCSx0rvuERKWxw3AX0CfSxfHp:quh5/0/OTuERK5wXr6H

File size 71.5 KB ( 73216 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: Function, Author: 1, Template: Normal.dot, Last Saved By: Microsoft Office, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 19:44:00 2016, Last Saved Time/Date: Mon Jan 25 19:44:00 2016, Number of Pages: 1, Number of Words: 1, Number of Characters: 8, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
obfuscated open-file doc copy-file create-file macros attachment write-file create-ole

VirusTotal metadata
First submission 2016-01-27 09:07:02 UTC ( 1 year, 10 months ago )
Last submission 2016-01-29 13:37:03 UTC ( 1 year, 9 months ago )
File names doc45020940351.doc
0451269b3fe4e84f7f2333f79f16780b
262fe4bf0952b3540fc90d13a923913e
8f0ac47ef08131e33ad4fe67d32eab2b
5d70f5ad49bb359296dbe2b38c9d13b8
klajslkjjasltodaydoc4502094035.doc
doc4502094035-01.doc
doc4502094035.doc
DONT-OPEN-doc4502094035.doxxx.doc
e990472b9b0362806b449f6bf4eec08c
17699850e913de6ed2e3995dd333b575
6ee3cad551d77ada7ef545e97a514a1d
a5fd6b509c5219549ababeca4e5d7f72
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!