Cryptam // document analysis


Sample Details

original filename: 4a8df45020d9fd79eb906eb88274858457909f0583041824463e4fc9d6b36ded_abYDuh9tfbBfVYg7up.doc

size: 2052608 bytes
submitted: 2018-10-05 06:00:18
md5: f61adaf6d56ce6f1efe9d555bc48f570
sha1: ff6c5f9f8a31ef834f423d49f9ebee726f3bb6cc
sha256: 4a8df45020d9fd79eb906eb88274858457909f0583041824463e4fc9d6b36ded
ssdeep: 49152:ptgYTQ3IgOfQAWMBYNRatUKyxA0oPEkfXAwhZljcEvr:oYkIiApBCC0oPTh3D
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.65 s
result: malware [100]
embedded executable: found

signature hits:

766537: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766493: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 473355262e65f3befcd93a521788dfe8 / 255488 bytes / @ 92672
dropped.file exe ee1433b828e33df5012ac58428ddf9cb / 1704448 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 473355262e65f3befcd93a521788dfe8
sha1: 6f974aefc11d944199039f803b7ea2fed54395bd
sha256: 1a51b6b1eabd6dad31199427084c21e443fd3d0475b022f53667b300fa816234
view strings

exe at 348160
md5: ee1433b828e33df5012ac58428ddf9cb
sha1: c7e5ae42d259de11f06adcc6fda7c8911c772450
sha256: 6a07269e55f3bd86f6a57c70d40a51a309398fadac29b8ff34922694f53e0735
view strings