Cryptam // document analysis


Sample Details

original filename: ebcb018740989472bf81cc226c29709dc8fbd792971b799be77b50feccd1af87_6bYDuh9tfbBfVYg7up.doc

size: 2052608 bytes
submitted: 2018-10-04 06:20:56
md5: 3955cd7e66b090ababe8ccda4cc8cbf3
sha1: 98ca14ed9d89ff6d52a1d8cbb7bdbf5e08de78b4
sha256: ebcb018740989472bf81cc226c29709dc8fbd792971b799be77b50feccd1af87
ssdeep: 49152:/NgYTQ3IgOfQAWMBYNRatUuiy+QD5Dl65F8/N1xVv:iYkIiApBNn1Nw5F8V1n
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.93 s
result: malware [100]
embedded executable: found

signature hits:

766537: exploit.office embedded Visual Basic execute shell command Wscript.Shell
71758: string.This program cannot be run in DOS mode
318828: string.GetCommandLineA
78066: string.GetProcAddress
316064: string.EnterCriticalSection
78284: string.CloseHandle
78392: string.KERNEL32
78150: string.ExitProcess
766493: string.vbs On Error Resume Next
dropped.file exe 53a3e884883046c47a8f42fda231ada3 / 20992 bytes / @ 71680
dropped.file exe 473355262e65f3befcd93a521788dfe8 / 255488 bytes / @ 92672
dropped.file exe 1464147624bfde0b21d0dfe174b9e3e9 / 1704448 bytes / @ 348160


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 71680
md5: 53a3e884883046c47a8f42fda231ada3
sha1: e22662b6d54e942848b834828ec607700567e1d4
sha256: 6d24a8dfc2c0bfdd478b1c7c5b24388c22e713d2e8fda4aa397e350043fcbfb4
view strings

exe at 92672
md5: 473355262e65f3befcd93a521788dfe8
sha1: 6f974aefc11d944199039f803b7ea2fed54395bd
sha256: 1a51b6b1eabd6dad31199427084c21e443fd3d0475b022f53667b300fa816234
view strings

exe at 348160
md5: 1464147624bfde0b21d0dfe174b9e3e9
sha1: 9207f74cec99bf4770d5b17ef92a0ffc07136efc
sha256: 3bb09ef9b4d4ebeba59d1252dea8270595a1c6d3873e77e6d9012f6075917dad
view strings