Update January 24, 2010 Abhishek Lyall provided the following information about the file:
" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued.. << Thank you (M)Virustotal
http://www.virustotal.com/analisis/36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac-1256236314File Final File of F4 UN.doc received on 2009.10.22 18:31:54 (UTC)
Result: 4/41 (9.76%)
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.22 Exploit.MSWord.Agent!IK
Antiy-AVL 2.0.3.7 2009.10.22 Exploit/MSWord.Agent
Ikarus T3.1.1.72.0 2009.10.22 Exploit.MSWord.Agent
Kaspersky 7.0.0.125 2009.10.22 Exploit.MSWord.Agent.ac
File size: 1440768 bytes
MD5 : 76af62049aa95ba30214cabb5baf1342
SHA1 : 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac
I don't know why a-squared stopped detecting it. One month later detection is still very low.
File Final_File_of_F4_UN.doc received on 2009.12.21 05:45:17 (UTC)
Result: 3/41 (7.32%)
Antiy-AVL 2.0.3.7 2009.12.18 Exploit/MSWord.Agent
Authentium 5.2.0.5 2009.12.02 MSWord/Dropper.B!Camelot
Kaspersky 7.0.0.125 2009.12.21 Exploit.MSWord.Agent.ac
Additional information
File size: 1440768 bytes
MD5...: 76af62049aa95ba30214cabb5baf1342
SHA1..: 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac
to be continued..