Cryptam // document analysis


Sample Details

original filename: Samp(2).docx

size: 324580 bytes
submitted: 2018-12-17 07:38:12
md5: 1a5fc80bed93ae809a2a9a3968f39bce
sha1: 07e24e4ef6b59e25e1178d02ff2fb63fff9b3ce0
sha256: a617d6391b416a738f8a5ee3748ff36162bf4540ee7db2b1497b03b0b19a7fe1
ssdeep: 6144:tfconHXx2Y+NZ9yModcFBvZppZvLe1Pxz1dSUTqiNf276r2ZCj7vmWEcGv:VnHXM7eaFRvi1pbSUTqiNf2GrFj+v
content/type: Microsoft Word 2007+
analysis time: 0.00 s
result: malware [134]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file oleObject1.bin 2aa55da7e8b4f0a27ccefc94b200126b
oleObject1.bin.1104: suspicious.office Packager ClassID used by CVE-2014-6352 C
oleObject1.bin.3247: string.This program cannot be run in DOS mode
oleObject1.bin.52483: string.LoadLibraryA
oleObject1.bin.52045: string.GetModuleHandleA
oleObject1.bin.52207: string.GetCommandLineA
oleObject1.bin.52065: string.GetProcAddress
oleObject1.bin.51871: string.EnterCriticalSection
oleObject1.bin.51771: string.CloseHandle
oleObject1.bin.51815: string.CreateFileA
oleObject1.bin.51721: string.RegOpenKeyExA
oleObject1.bin.52775: string.KERNEL32
oleObject1.bin.dropped.file exe e202efeb138de48c55046d32fafbb315 / 77215 bytes / @ 3169
embedded.file vbaProject.bin c66ce299f067fef7522a96ed952db915
vbaProject.bin.18439: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
vbaProject.bin.35030: suspicious.office Visual Basic macro
vbaProject.bin.7695: string.vbs impersonationLevel


Strings

raw strings

Dropped Files

oleObject1.bin at zip
md5: 2aa55da7e8b4f0a27ccefc94b200126b
sha1: 6c20adf78f0ebf850a6e41613f8cc2ebdb2a9f23
sha256: 6c16ea529298c636ada52f8c844f181518eef70704c88debf93c85554819205a
view strings

exe at 3169
md5: e202efeb138de48c55046d32fafbb315
sha1: 1eb1edbdaa4f2854382d1d82a568aa238b53606d
sha256: 917301c1ef1f34d908805a80a88854e785def758b23005c2fc4953d65b898e3c
imphash: e52a443b8112ee51c21a05a7a7114ad5
view strings

vbaProject.bin at zip
md5: c66ce299f067fef7522a96ed952db915
sha1: 2c47adc5847fcdfc155b77af2654a8f8a86097a6
sha256: e5d6978471f4c5d611ef582d901c599e1d885369bcd536b935c32c4008ad5652
view strings