Cryptam // document analysis


Sample Details

original filename: 0fecbbd3086b5ca47c5ea067f3626cb3fc57a07a8ae90b6dd110e540f785a6a7_6bYDuh9tfbBfVYg7up.doc

size: 2054656 bytes
submitted: 2018-11-29 01:12:03
md5: 75cd827aa89045864174de0d740e1e47
sha1: af7824db35f78d08eb822df321bf1e639521f1ae
sha256: 0fecbbd3086b5ca47c5ea067f3626cb3fc57a07a8ae90b6dd110e540f785a6a7
ssdeep: 49152:BSoYTQ3IgOfQAWMBYNRatUCiy+QD5Dl65F8/3IYVv:nYkIiApBxn1Nw5F8vz
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 9.21 s
result: malware [100]
embedded executable: found

signature hits:

766775: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766731: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 234e12bb5c79023e388a6348a87e212d / 255488 bytes / @ 92672
dropped.file exe 424a369c71b18d4e822c891609f21e4e / 1706496 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 234e12bb5c79023e388a6348a87e212d
sha1: 2dcf9cdb12faa7b8446c8350d10a6b54828fc73c
sha256: b150e51a7dc556fa8860df7c480b2c7379e6165e47bc51b05ed30e967226c69d
view strings

exe at 348160
md5: 424a369c71b18d4e822c891609f21e4e
sha1: 67a20cd775749999e603cd268ab676f2ed2a39b2
sha256: 60cc4a1803b4d5fcc9aa1f1fb4dfd7a03dd060538a51b172a8fc53c11c225854
view strings