Cryptam // document analysis


Sample Details

original filename: cfc5751177a385058ea6ea1c97f6240885e803b607bf1de854cdb7db4d628beb_pubpolexam.doc

size: 75776 bytes
submitted: 2018-08-19 10:44:55
md5: c153b9002d2f2ff0885b5335fdcfa326
sha1: 15d34c28cc3a8cbe5bb301554ae4bd3637ad21f8
sha256: cfc5751177a385058ea6ea1c97f6240885e803b607bf1de854cdb7db4d628beb
ssdeep: 768:GC7wrTAW4Reb3SJujoxqnLEaRvptJeLVqwZoJZGfG18SEz9rtmjVU7bhlMrcu5Lx:a4Wu4LrzZ5zZxGTxZtlOBrs
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 1.13 s
result: malware [102]
embedded executable: found

signature hits:

50209: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
49918: exploit.office embedded Visual Basic execute shell command Wscript.Shell
56614: exploit.office embedded Visual Basic accessing file OpenTextFile
70890: suspicious.office Visual Basic macro
35803: exploit.office VB Macro auto execute
49705: string.vbs On Error Resume Next
50195: string.vbs CreateObject
dropped.file vbs d7c297c9b71c5f4730f0a840f73e991a / 8984 bytes / @ 49491
dropped.file vbs ea40855434546d63595b760ef1180a82 / 104 bytes / @ 58475
dropped.file vbs 242b710ab22b95e5cdea969e3783dc73 / 32 bytes / @ 58579
dropped.file vbs ad7885d023f8393750628458be803283 / 1112 bytes / @ 58611
dropped.file vbs ccdd30830c7ce70d546a9783237c4c6e / 16053 bytes / @ 59723


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 49491
md5: d7c297c9b71c5f4730f0a840f73e991a
sha1: 21cf9b29ff47ed4438b69d17706ac536bcf9b3cf
sha256: 7ab1b68c012c0b1ff8256d18f0f4832dc1bdc5f57b6b93dc68a45e59a403e29e
view strings

vbs at 58475
md5: ea40855434546d63595b760ef1180a82
sha1: a1ddc4593b4c443493a50ab56edf1cab847f4f0e
sha256: 3fad17470efe4eab9b48b16aecd0014cfe5ff784b4d2255398c9297f68fe5c1c
view strings

vbs at 58579
md5: 242b710ab22b95e5cdea969e3783dc73
sha1: 420ca80d05cc5ef50624be0f2120c77b7c00f049
sha256: e431b8a9c4145dde410d1b5553c258c93dfe518529b1cd10803b663c21b3f9e9
view strings

vbs at 58611
md5: ad7885d023f8393750628458be803283
sha1: ad05e60aa5a55b078aeef6d5b54c03c14eb0820b
sha256: bfa01f030ea49a1d7100ff90f310785b2288004b2c8c619901a1eca4bc308b4e
view strings

vbs at 59723
md5: ccdd30830c7ce70d546a9783237c4c6e
sha1: ef1d69da9ae5d0d3691fc482eb561cb82ed9324b
sha256: 65b8e37937adea83f1eb9120607266cc6335c3fe3dacc189ad3864fd5c28befc
view strings