× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac
File name: lgm_bill98046.doc
Detection ratio: 33 / 54
Analysis date: 2016-12-07 07:49:31 UTC ( 3 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware VBA:Trojan.VBA.Downloader.BR 20161207
AegisLab Troj.Downloader.Msword.Agent!c 20161207
AhnLab-V3 W97M/Hancitor 20161207
ALYac Trojan.Downloader.W97M.Gen 20161207
Arcabit VBA:Trojan.VBA.Downloader.BR 20161207
Avast VBA:Downloader-DSL [Trj] 20161207
AVG W97M/Dropper.Agent 20161207
Avira (no cloud) W2000M/Dldr.Agent.asgo 20161206
Baidu VBA.Trojan.Kryptik.ap 20161207
BitDefender VBA:Trojan.VBA.Downloader.BR 20161207
CAT-QuickHeal W97M.Downloader.PI 20161207
ClamAV Doc.Dropper.Agent-1839478 20161207
Cyren W97M/Nastjencro 20161207
Emsisoft VBA:Trojan.VBA.Downloader.BR (B) 20161207
ESET-NOD32 VBA/Kryptik.T 20161207
F-Prot New or modified W97M/Nastjencro 20161207
F-Secure Trojan:W97M/Nastjencro.A 20161207
Fortinet WM/Agent.FUL!tr 20161207
GData VBA:Trojan.VBA.Downloader.BR 20161207
Ikarus Trojan-Dropper.VBA.Agent 20161206
Kaspersky Trojan-Downloader.MSWord.Agent.auz 20161207
McAfee W97M/Dropper.cu 20161205
McAfee-GW-Edition W97M/Dropper.cu 20161207
Microsoft TrojanDownloader:O97M/Donoff.CD 20161207
eScan VBA:Trojan.VBA.Downloader.BR 20161207
Qihoo-360 virus.office.gen.95 20161207
Rising Downloader.Agent!8.B23 (topis) 20161207
Sophos Troj/DocDl-FQK 20161207
Symantec W97M.Downloader 20161207
Tencent Win32.Trojan.Inject.Auto 20161207
TrendMicro W2KM_HANCITOR.AUSTT 20161207
TrendMicro-HouseCall W2KM_HANCITOR.AUSTT 20161207
ViRobot W97M.S.Downloader.163840.A[h] 20161207
Alibaba 20161207
Antiy-AVL 20161207
AVware 20161207
Bkav 20161206
CMC 20161207
Comodo 20161207
CrowdStrike Falcon (ML) 20161024
DrWeb 20161207
Invincea 20161202
Jiangmin 20161207
K7AntiVirus 20161207
K7GW 20161207
Kingsoft 20161207
Malwarebytes 20161207
NANO-Antivirus 20161207
nProtect 20161207
Panda 20161206
SUPERAntiSpyware 20161207
TheHacker 20161130
Trustlook 20161207
VBA32 20161206
VIPRE 20161207
WhiteArmor 20161125
Yandex 20161206
Zillya 20161205
Zoner 20161207
The file being studied follows the Compound Document File format! More specifically, it is a MS Word Document file.
Commonly abused properties
The studied file makes use of macros, a macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Macros are often abused to perform malicious tasks when working with a document.
May open a file.
May enumerate open windows.
May execute code from Dynamically Linked Libraries.
Summary
last_author
Windows
creation_datetime
2016-11-21 15:15:00
author
Kimberly
title
page_count
1
last_saved
2016-11-21 15:15:00
revision_number
1
application_name
Microsoft Office Word
character_count
2
code_page
Cyrillic
template
Normal.dot
Document summary
byte_count
11000
company
characters_with_spaces
2
line_count
1
version
726502
paragraph_count
1
code_page
Cyrillic
OLE Streams
name
Root Entry
clsid
00020906-0000-0000-c000-000000000046
type_literal
root
clsid_literal
MS Word
sid
0
size
3520
type_literal
stream
size
113
name
\x01CompObj
sid
20
type_literal
stream
size
4096
name
\x05DocumentSummaryInformation
sid
5
type_literal
stream
size
4096
name
\x05SummaryInformation
sid
4
type_literal
stream
size
4096
name
1Table
sid
2
type_literal
stream
size
25950
name
Data
sid
1
type_literal
stream
size
545
name
Macros/PROJECT
sid
19
type_literal
stream
size
119
name
Macros/PROJECTwm
sid
18
type_literal
stream
size
10574
type
macro
name
Macros/VBA/ThisDocument
sid
8
type_literal
stream
size
8216
name
Macros/VBA/_VBA_PROJECT
sid
11
type_literal
stream
size
15096
type
macro
name
Macros/VBA/coagulation
sid
9
type_literal
stream
size
866
name
Macros/VBA/dir
sid
12
type_literal
stream
size
1162
type
macro (only attributes)
name
Macros/VBA/temporariness
sid
10
type_literal
stream
size
97
name
Macros/temporariness/\x01CompObj
sid
16
type_literal
stream
size
296
name
Macros/temporariness/\x03VBFrame
sid
17
type_literal
stream
size
98
name
Macros/temporariness/f
sid
14
type_literal
stream
size
8388
name
Macros/temporariness/o
sid
15
type_literal
stream
size
72264
name
WordDocument
sid
3
Macros and VBA code streams
[+] ThisDocument.cls Macros/VBA/ThisDocument 4775 bytes
exe-pattern open-file
[+] coagulation.bas Macros/VBA/coagulation 7419 bytes
exe-pattern enum-windows run-dll
ExifTool file metadata
SharedDoc
No

Author
Kimberly

CodePage
Windows Cyrillic

LinksUpToDate
No

LastModifiedBy
Windows

HeadingPairs
, 1

Template
Normal.dot

CharCountWithSpaces
2

CreateDate
2016:11:21 14:15:00

CompObjUserType
???????? Microsoft Office Word

ModifyDate
2016:11:21 14:15:00

HyperlinksChanged
No

Characters
2

ScaleCrop
No

RevisionNumber
1

MIMEType
application/msword

Words
0

Bytes
11000

FileType
DOC

Lines
1

AppVersion
11.5606

Security
None

Software
Microsoft Office Word

TotalEditTime
0

Pages
1

CompObjUserTypeLen
31

FileTypeExtension
doc

Paragraphs
1

File identification
MD5 1d4c5037912d96865c2b830fd8b0693b
SHA1 2622dd34f11254a821694598e918b4736a01076f
SHA256 fc1f1845e47d4494a02407c524eb0e94b6484045adb783e90406367ae20a83ac
ssdeep
1536:r838YmfouU03IV5cOAyMH8oHye2TLh8JFUCea76v5JYXRGNbMWoLqjlHO3:YsTfHU0QcOVMH8mye2Ph9J5JWEbWOj0

File size 160.0 KB ( 163840 bytes )
File type MS Word Document
Magic literal
CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: , Author: Kimberly, Template: Normal.dot, Last Saved By: Windows, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sun Nov 20 14:15:00 2016, Last Saved Time/Date: Sun Nov 20 14:15:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0

TrID Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
Tags
open-file enum-windows exe-pattern doc macros run-dll attachment

VirusTotal metadata
First submission 2016-11-21 14:41:30 UTC ( 4 months ago )
Last submission 2016-12-07 07:49:31 UTC ( 3 months, 2 weeks ago )
File names lgm_bill68036.doc
lgm_bill31185.doc
lgm_bill84685.doc
lgm_bill54067.doc
lgm_bill87782.doc
lgm_bill31076.doc
lgm_bill39240.doc
lgm_bill27460.doc
lgm_bill12390.doc
lgm_bill92576.doc
lgm_bill59680.doc
invoice_618887.doc
lgm_bill50074.doc
lgm_bill22308.doc
lgm_bill54218.doc
lgm_bill37147.doc
lgm_bill72542.doc
lgm_bill87046.doc
lgm_bill88918.doc
lgm_bill55442.doc
lgm_bill67964.doc
lgm_bill68500.doc
invoice_540080.doc
lgm_bill38530.doc
lgm_bill36376.doc
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!