Cryptam // document analysis


Sample Details

original filename: Samp(3).docx

size: 306896 bytes
submitted: 2018-12-17 07:39:45
md5: 06138c9944127a3f38fe1145bf6b72ca
sha1: 0570265c3f27be4d02de7c8133635230d4c46324
sha256: ebd8155b589b2341d7de2c65fb1e971a06482d953b674168ce91ca50f7b857c7
ssdeep: 6144:tXGmKDFUuPEOHMDOXw62pKqHuqJw0BQpPgqGRbpEBiVpL40rX+t+VW:T8F5lMDOg62p9O3oqkEB+m+VW
content/type: Microsoft Word 2007+
analysis time: 0.00 s
result: malware [154]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file oleObject1.bin b214ecfa81c8a22c3ef663f9776327b6
oleObject1.bin.1104: suspicious.office Packager ClassID used by CVE-2014-6352 C
oleObject1.bin.8865: string.This program cannot be run in DOS mode
oleObject1.bin.67387: string.LoadLibraryA
oleObject1.bin.67485: string.GetModuleHandleA
oleObject1.bin.66469: string.GetCommandLineA
oleObject1.bin.67369: string.GetProcAddress
oleObject1.bin.67157: string.CreateProcessA
oleObject1.bin.66689: string.EnterCriticalSection
oleObject1.bin.66411: string.CloseHandle
oleObject1.bin.66939: string.CreateFileA
oleObject1.bin.66019: string.RegOpenKeyExA
oleObject1.bin.66071: string.RegDeleteKeyA
oleObject1.bin.67521: string.KERNEL32
oleObject1.bin.dropped.file exe c9909bf6dda632116a5c174945e8fdcc / 65965 bytes / @ 8787
embedded.file vbaProject.bin 118f916e0c5f5e45402091e1ad348a18
vbaProject.bin.12491: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
vbaProject.bin.28886: suspicious.office Visual Basic macro
vbaProject.bin.12179: string.vbs impersonationLevel


Strings

raw strings

Dropped Files

oleObject1.bin at zip
md5: b214ecfa81c8a22c3ef663f9776327b6
sha1: f08a43769e57aae95a02ff5d3bf1e590c5eb0247
sha256: 2589cf0c302df786273868cbae4f7507f0a12fe102355ab154bc4199938dd4e3
view strings

exe at 8787
md5: c9909bf6dda632116a5c174945e8fdcc
sha1: 3224a57693f81301bdc2bb4a2a785d414af700c5
sha256: c23a48470355b1e38e6a119e1918293f170af9231b4d7a2eb7792a6697762edd
imphash: 00f13025541f2001e3ac5b3b35496b6b
view strings

vbaProject.bin at zip
md5: 118f916e0c5f5e45402091e1ad348a18
sha1: 5e5b48f0cbd3a44b2fd83468d08a01cca858c9fc
sha256: 0be3b5c4a2f7ea2bc672a55654171742baa9878b0ae7b64c7b11c75682342950
view strings