Cryptam // document analysis


Sample Details

original filename: d97b14752193fdbe4d9aede479a01bd9fcf3d4831a5ba20cb7eba021c6b0ba83_hbYDuh9tfbBfVYg7up.doc

size: 2052608 bytes
submitted: 2018-10-07 06:00:23
md5: 47b4faa1fee5ffdfade5d70c0a0702e7
sha1: 61b263b7d79ce3a027e5381ff377223435f1c8a5
sha256: d97b14752193fdbe4d9aede479a01bd9fcf3d4831a5ba20cb7eba021c6b0ba83
ssdeep: 49152:iHgYTQ3IgOfQAWMBYNRatULyxA0oPEkfXGohZVQREvv:BYkIiApBPC0oPTh53
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.76 s
result: malware [100]
embedded executable: found

signature hits:

766537: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766493: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 473355262e65f3befcd93a521788dfe8 / 255488 bytes / @ 92672
dropped.file exe 6c9e33518ac61270fd3a34fcadcb05c2 / 1704448 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 473355262e65f3befcd93a521788dfe8
sha1: 6f974aefc11d944199039f803b7ea2fed54395bd
sha256: 1a51b6b1eabd6dad31199427084c21e443fd3d0475b022f53667b300fa816234
view strings

exe at 348160
md5: 6c9e33518ac61270fd3a34fcadcb05c2
sha1: 6b7c01a9d9913e4c01146bd56004a6a7f295fe03
sha256: a606263dfb4c7766c89abbbd3ad8ab347b2314d3a448af568ec58ce86bb766d2
view strings