Cryptam // document analysis



Sample Details

original filename: 2012_0158_malicious_document

size: 126583 bytes
submitted: 2019-07-15 17:39:36
md5: 2b36c2a000ff2c43b30748b0f1fa088a
sha1: 7132b5908648a2b40c09f2b3dc482679f490c17a
sha256: 76379f1e355e1df2c17f2541b40812386a2dae5bf4927a56b59ca306aeecc0fe
ssdeep: 1536:/LE2w6cLLHhTEMnhfkHKz1DIpesZXtS0DE13LDtTbet2pAms:/I5LB4MIKz0esNtLEVHRm2pts
content/type: Rich Text Format data, version 1, unknown character set
analysis time: 9.59 s
result: malware [250]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-8 9aecf72bff1fca76784c83603e87a554
datastore-8.12: exploit.office CVE-2012-0158 F
datastore-8.2313: exploit.office OLE MSCOMCTL.OCX RCE CVE-2012-0158 H
datastore-8.1155: exploit.office RTF MSCOMCTL.OCX RCE CVE-2012-0158 obs E
158: exploit.office RTF MSCOMCTL.OCX RCE CVE-2012-0158 B
4527: exploit.office RTF MSCOMCTL.OCX RCE CVE-2012-0158 D
4493: exploit.office RTF MSCOMCTL.OCX RCE CVE-2012-0158 obs C
2477: exploit.office RTF MSCOMCTL.OCX RCE CVE-2012-0158 obs D
26822: string.This program cannot be run in DOS mode
49442: string.LoadLibraryA
48790: string.GetModuleHandleA
49000: string.GetCommandLineA
49424: string.GetProcAddress
49032: string.GetEnvironmentVariableA
48630: string.CloseHandle
48700: string.CreateFileA
48300: string.user32.dll
48926: string.KERNEL32
48776: string.ExitProcess
dropped.file doc 0d6d94001483c7bc7650ab2a3e98427a / 16384 bytes / @ 10360
dropped.file exe 20c764dfa4363c6941d8f30cff20c86b / 99839 bytes / @ 26744


Cryptanalysis


key length: 1 bytes
key:

occurrences in file: 32167
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

datastore-8 at rtf
md5: 9aecf72bff1fca76784c83603e87a554
sha1: 61a85aa29afa4f987c678b2f55e719b63cc63176
sha256: 7f679f72539fd02543e1298e1ea0384b25b3b3951cdb1c80113642b057356d1a
view strings

doc at 10360
md5: 0d6d94001483c7bc7650ab2a3e98427a
sha1: 3b7a79330b55a6b95860882fc5ef44a932c461df
sha256: 207c87f2582ab8d12a6c3c17a507ee587bc393a18cbe86aef9ebcda0144db01b
view strings

exe at 26744
md5: 20c764dfa4363c6941d8f30cff20c86b
sha1: 8abfbd6be596ef2212dec1af3fd2297c1b767b2f
sha256: 8a8e2487cbf8d13693cfd215cfc85551a69842efd9843b9f2d6d1ca556518c27
view strings