Cryptam // document analysis


Sample Details

original filename: c1b4733d52696d8d5764cc2ec56902310845e4dc1a08ca41aec6b477872cb74a_6bYDuh9tfbBfVYg7up.doc

size: 2052608 bytes
submitted: 2018-10-06 06:17:14
md5: 11edb04513144a5ad4ed84e0e609d3f4
sha1: 6512ec0c7955f12180d6f5d464033a14da4b0ee1
sha256: c1b4733d52696d8d5764cc2ec56902310845e4dc1a08ca41aec6b477872cb74a
ssdeep: 49152:WRgYTQ3IgOfQAWMBYNRatU9iy+QD5Dl65F8/jW9YVv:LYkIiApBqn1Nw5F87P
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.87 s
result: malware [100]
embedded executable: found

signature hits:

766537: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766493: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 473355262e65f3befcd93a521788dfe8 / 255488 bytes / @ 92672
dropped.file exe 21c178d55cdeda74c2fa15faf0127f96 / 1704448 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 473355262e65f3befcd93a521788dfe8
sha1: 6f974aefc11d944199039f803b7ea2fed54395bd
sha256: 1a51b6b1eabd6dad31199427084c21e443fd3d0475b022f53667b300fa816234
view strings

exe at 348160
md5: 21c178d55cdeda74c2fa15faf0127f96
sha1: ef726dcfb3be129faaf3974449e85eba3b5caf13
sha256: 45b10f019040d6f42bd45491433857310b31d1c2f77a3348cf750db7bbe4fe10
view strings