Cryptam // document analysis


Sample Details

original filename: 9a66c36e4f18b6dfa2ad98a122f2bca2c2eb0a64f96d7d5fb6d56708bda00b28_20121127031228.xls

size: 101376 bytes
submitted: 2018-06-16 15:04:49
md5: 35e8752d59627967a7a75d9cca02f705
sha1: 46a8674c703ac88f5e5c8538b127b5c37ecaa3f4
sha256: 9a66c36e4f18b6dfa2ad98a122f2bca2c2eb0a64f96d7d5fb6d56708bda00b28
ssdeep: 1536:k222y2T72+22Yrx1N0UDEYHn20MtK7LIZ95lsWcPWVbrzQ7I4hkQx2PZg7N/WwFV:sfWVbrzQ7I4hk3BglxUk
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 0.75 s
result: malware [72]
embedded executable: found

signature hits:

53198: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
53782: exploit.office embedded Visual Basic execute shell command Wscript.Shell
60291: exploit.office embedded Visual Basic accessing file OpenTextFile
88820: suspicious.office Visual Basic macro
49976: string.vbs On Error Resume Next
dropped.file vbs 7071503566e3f8eff42078fa48a63d1d / 20131 bytes / @ 56896
dropped.file vbs 79b38d2f999ed298cf6535ee0c688702 / 24349 bytes / @ 77027


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 56896
md5: 7071503566e3f8eff42078fa48a63d1d
sha1: 0087d253aa48dce066c3ebb92f1d8fe32263f0ae
sha256: 1e1fdaef59566e5fa9a9ef140ed2e7676ba7fd171da300808766b66bce6d6f43
view strings

vbs at 77027
md5: 79b38d2f999ed298cf6535ee0c688702
sha1: 88869f1f511d0e020a4e01f772064e28777fcf7c
sha256: cd94b10f9b0382650f4c549746b6368f868871b35e88e2fa9e7945beffd434ed
view strings