Cryptam // document analysis


Sample Details

original filename: 8200e07ef43d4e7cce22413bf702bdea7cb0e5a68d78f09e792d0dfccb4484db_com.eweaver.document.file.FileDownload.xls

size: 121856 bytes
submitted: 2018-06-17 06:05:28
md5: e48e2470730193fb3edf6e0a6c38f75b
sha1: 01c90130765447fee71317e5599e34d327ffb362
sha256: 8200e07ef43d4e7cce22413bf702bdea7cb0e5a68d78f09e792d0dfccb4484db
ssdeep: 1536:HQQQqJqcCJeiCmxmQJtV8bckS1Q8vePsZzZ95uTMC5mmWUbrzQ7wzRmTkbA23Y2c:wgTMwWUbrzQ73TkZLEdJtXwmzZB
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 0.72 s
result: malware [72]
embedded executable: found

signature hits:

71363: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
71947: exploit.office embedded Visual Basic execute shell command Wscript.Shell
78440: exploit.office embedded Visual Basic accessing file OpenTextFile
106228: suspicious.office Visual Basic macro
68653: string.vbs On Error Resume Next
dropped.file vbs 37c426d7d8ab90bed3f4bfb844494a5e / 19998 bytes / @ 75053
dropped.file vbs 126b954f8b0cd4e689be03dac5d8d6cf / 26805 bytes / @ 95051


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 75053
md5: 37c426d7d8ab90bed3f4bfb844494a5e
sha1: 9018a9d18ca56f144a96f621f582eec3b93ee7e5
sha256: 78df3bce871863404b5ed275e7b88f907aeef9e381c3ecf0bc482191b80dcb66
view strings

vbs at 95051
md5: 126b954f8b0cd4e689be03dac5d8d6cf
sha1: bc1b6600ab5749e3a349893dc508e2f698948d2c
sha256: bcc82821e796645b66b97a0e2978cf5157286ebe9de6e2ad8699172f8b1f1f63
view strings