Cryptam // document analysis


Sample Details

original filename: cd2b2efbc13c888f2a350b4a131f5269a5a3f0355c6dcd5afd7bfc53c54721f9_190215090638307538.xls

size: 98816 bytes
submitted: 2019-05-25 06:03:26
md5: d801b454160510cb30428cd7e0695243
sha1: 30019df3ec9ee12e2f2040698b58ff48a161092a
sha256: cd2b2efbc13c888f2a350b4a131f5269a5a3f0355c6dcd5afd7bfc53c54721f9
ssdeep: 3072:zKj1gxv7yZmspH7+cclKisCWI4ukoRWGNZAlfjcc0lbxOsX9ww33XjUJtXw3:+j1gxv7yZmspH7+cclKisCWI4ukoRWG0
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 0.85 s
result: malware [72]
embedded executable: found

signature hits:

50964: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
51548: exploit.office embedded Visual Basic execute shell command Wscript.Shell
58041: exploit.office embedded Visual Basic accessing file OpenTextFile
88786: suspicious.office Visual Basic macro
47742: string.vbs On Error Resume Next
dropped.file vbs 7bd0a0d83a77f46d829313e5e65f2320 / 19998 bytes / @ 54654
dropped.file vbs 42f90c1745cb516305fac7db5677a2d4 / 24164 bytes / @ 74652


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 54654
md5: 7bd0a0d83a77f46d829313e5e65f2320
sha1: 3c53fe3960d2e9af7060f0395a48d9aaa463e6d5
sha256: 66129927c1aa9e9d27828f89b0561569aad0d5c646598daede23cd9c55aa5a08
view strings

vbs at 74652
md5: 42f90c1745cb516305fac7db5677a2d4
sha1: f77d419b9b489d7c79b4b6b16398f233b19271ae
sha256: e33e540d59db7b19b09891092c7cd1dcfe0e9551769762b213dcbbbb733d85b6
view strings