Cryptam // document analysis


Sample Details

original filename: 1eee5a2c8c2eb5f3275a8de0f127f011c3023518ff69fb564f410551b7a0f2d8_abYDuh9tfbBfVYg7up.doc

size: 2052608 bytes
submitted: 2018-11-02 07:30:17
md5: 2215024376c90d2bcf6d260b7560a403
sha1: 7a27e4847d4e4f3301fd21614b8114037a9b8b59
sha256: 1eee5a2c8c2eb5f3275a8de0f127f011c3023518ff69fb564f410551b7a0f2d8
ssdeep: 49152:DEgYTQ3IgOfQAWMBYNRatUyyxA0oPEkfXYwhZQlEvz:nYkIiApBWC0oPjhtb
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.70 s
result: malware [100]
embedded executable: found

signature hits:

766537: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766493: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 473355262e65f3befcd93a521788dfe8 / 255488 bytes / @ 92672
dropped.file exe 36456750137d7bd4c6e07c3176bac12b / 1704448 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 473355262e65f3befcd93a521788dfe8
sha1: 6f974aefc11d944199039f803b7ea2fed54395bd
sha256: 1a51b6b1eabd6dad31199427084c21e443fd3d0475b022f53667b300fa816234
view strings

exe at 348160
md5: 36456750137d7bd4c6e07c3176bac12b
sha1: f36cd774eaa111905a2dd7a44e56020e6e9f35a4
sha256: 2ea260707509c57cc4106402d1a797a718ec190ccf5c1f59a6ad859f34101d43
view strings