Cryptam // document analysis


Sample Details

original filename: Invoice_101119.xls

size: 719872 bytes
submitted: 2019-10-12 16:04:03
md5: db0ae873a7466ba62bb8fb4ac7aeddd1
sha1: b2754039e48598ef031850ec0e5566574aaba845
sha256: c5a670d2111c9b89ab2f7b68da455c5889e92a170b879caf87593172be956c43
ssdeep: 12288:W+J3CJpeAO7dhZNY65Llk1yPSusK6RxtNcU+NtR06XuuD25q09hW4Wc:W+J3CveAwvb5lkqXwHNcUQR06ehbP
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 2.34 s
result: malware [84]
embedded executable: found

signature hits:

671056: exploit.office embedded Visual Basic execute shell command Wscript.Shell
695568: suspicious.office Visual Basic macro
1488: suspicious.office Packager ClassID used by CVE-2014-6352 C
6317: string.This program cannot be run in DOS mode
29633: string.GetModuleHandleA
29711: string.CloseHandle
10213: string.KERNEL32
29653: string.ExitProcess
29371: string.CreateWindowExA
dropped.file exe 8cc6ca8d8402a763dd7d57bdc29c7e17 / 289572 bytes / @ 12383
dropped.file exe e87eb5b34ffc3c113a82a03f64692fca / 417917 bytes / @ 301955


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 12383
md5: 8cc6ca8d8402a763dd7d57bdc29c7e17
sha1: 1b1f8fac5cd3d6cd8d5d8f7944dccf98958f531e
sha256: 3f7178e3cd97ee8fb8c503c04074ff089c16337eb89ff8ae17b8c16b45b6cc6a
view strings

exe at 301955
md5: e87eb5b34ffc3c113a82a03f64692fca
sha1: e296bcc922670d82b1e599c413bfa8a40541c015
sha256: fd63efd80e8fc71539f60a42980819670a9e22b0c6383b532a77a9df8ee3ac6f
view strings