Cryptam // document analysis


Sample Details

original filename: c4f1dff918450eb4de05c791b87bf12220c49c74d0cc02de940e155ebe07f0c4_190215090529682644.xls

size: 89088 bytes
submitted: 2019-05-25 06:03:07
md5: 5ca19b7f91f0013cf9cfd917763bb75a
sha1: 45ad9de01d1dce8db31c55e990f0ae60e8bdcabb
sha256: c4f1dff918450eb4de05c791b87bf12220c49c74d0cc02de940e155ebe07f0c4
ssdeep: 1536:mLGGPzLal6yErOaJgAKtOEJ1gxv7yZmspH7+cclKiEZClsQ6NqTBun5orA/NlIPW:NJ1gxv7yZmspH7+cclKisQ6NqTBun5oC
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 0.79 s
result: malware [72]
embedded executable: found

signature hits:

42891: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
43475: exploit.office embedded Visual Basic execute shell command Wscript.Shell
49968: exploit.office embedded Visual Basic accessing file OpenTextFile
79058: suspicious.office Visual Basic macro
40181: string.vbs On Error Resume Next
dropped.file vbs b5cb91f1f44feb1736e03fd9bc35e0e5 / 20510 bytes / @ 46581
dropped.file vbs 8a7c5ca0924d7959e3e4a6ed837219e0 / 21997 bytes / @ 67091


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 46581
md5: b5cb91f1f44feb1736e03fd9bc35e0e5
sha1: 4074fcc7e538c590a826e958bcdba3095b3399a6
sha256: 989fca8cad1e877cd142104f147466a7eca2140b54249878a37a473de3db3d6c
view strings

vbs at 67091
md5: 8a7c5ca0924d7959e3e4a6ed837219e0
sha1: 8297f4a7154fcd83bb8697201940c4424fb31f4a
sha256: 312f059547a15c9a9eb2b7e65a36d56402dfe3fa67c08a50af65f5af516bb7b9
view strings