Cryptam // document analysis



Sample Details

original filename: 32byte.virus

size: 429440 bytes
submitted: 2018-05-03 19:05:29
md5: 7048add2873b08a9693a60135f978686
sha1: 08db4b8dc7c18133851774d687a9d2bcb993bffa
sha256: 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 2.60 s
result: malware [172]
embedded executable: found

signature hits:

2563: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
2571: exploit.office MSCOMCTL.OCX Toolbar MS12-060
20946: suspicious.office Visual Basic macro
28750: string.This program cannot be run in DOS mode
101774: string.LoadLibraryA
101124: string.GetModuleHandleA
101540: string.GetCommandLineA
102218: string.GetSystemMetrics
101282: string.GetProcAddress
100552: string.CloseHandle
100660: string.CreateFileA
103058: string.RegOpenKeyExA
101788: string.KERNEL32
101218: string.ExitProcess
101976: string.GetMessageA
102128: string.CreateWindowExA
dropped.file exe a23fa0c8c9fc3cfe9474479c80614f48 / 390016 bytes / @ 28672
dropped.file doc e617348b8947f28e2a280dd93c75a6ad / 10752 bytes / @ 418688


Cryptanalysis


key length: 32 bytes
key:

occurrences in file: 295
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 28672
md5: a23fa0c8c9fc3cfe9474479c80614f48
sha1: b1dde2dd913f6be3fa9c5fed6a7b51e56a705d08
sha256: 177728efd30ef8d754142746fb051c16d7a0c360b6796e471b6cfb87f55b3f12
view strings

doc at 418688
md5: e617348b8947f28e2a280dd93c75a6ad
sha1: 125da188e26bd119ce8cad7eeb1fc2dfa147ad47
sha256: 06f7826c2862d184a49e3672c0aa6097b11e7771a4bf613ec37941236c1a8e20
view strings