Cryptam // document analysis


Sample Details

original filename: Samp(5).docx

size: 298843 bytes
submitted: 2018-12-17 07:41:25
md5: a368a2619a4870c9ab3f26e07184d445
sha1: 2f7cd837a5052acfc7fb17bf09a0434137f7e9a1
sha256: f5e5be0471dde2ca55c7e7f8c966115a30d790cd5adc8d9774c1c5151fa11eb9
ssdeep: 6144:tJK+6nXO/rW5+faffNirIRPJZUMSCbe+TTTIH:nK+6+/rWgfaoofUnCbegTIH
content/type: Microsoft Word 2007+
analysis time: 0.00 s
result: malware [154]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file oleObject1.bin 89d9e05f60d97e9831bc1d2881a916eb
oleObject1.bin.1104: suspicious.office Packager ClassID used by CVE-2014-6352 C
oleObject1.bin.8865: string.This program cannot be run in DOS mode
oleObject1.bin.57691: string.LoadLibraryA
oleObject1.bin.57789: string.GetModuleHandleA
oleObject1.bin.56765: string.GetCommandLineA
oleObject1.bin.57673: string.GetProcAddress
oleObject1.bin.57461: string.CreateProcessA
oleObject1.bin.57003: string.EnterCriticalSection
oleObject1.bin.56697: string.CloseHandle
oleObject1.bin.57243: string.CreateFileA
oleObject1.bin.56323: string.RegOpenKeyExA
oleObject1.bin.56375: string.RegDeleteKeyA
oleObject1.bin.57825: string.KERNEL32
oleObject1.bin.dropped.file exe 9b88bc8fb6d84c582c7f81e1aab79cc5 / 76205 bytes / @ 8787
embedded.file vbaProject.bin 8d309eba647c7bb23368ccd7168d5808
vbaProject.bin.18133: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
vbaProject.bin.34518: suspicious.office Visual Basic macro
vbaProject.bin.15223: string.vbs impersonationLevel


Strings

raw strings

Dropped Files

oleObject1.bin at zip
md5: 89d9e05f60d97e9831bc1d2881a916eb
sha1: 295c3d07b6e58189a086dcaea76a332e689facc6
sha256: da9c0944103b7e5e9dbc641e40f9269804a258a39ca001ca8ce88c7785b55663
view strings

exe at 8787
md5: 9b88bc8fb6d84c582c7f81e1aab79cc5
sha1: ae920143e6865409ccfc7298145a630bfad7e252
sha256: d7f919cf43419161a45bcc8f2eee0af943aa2f912ca76da4d2a04b2bcee52e36
imphash: 46d211119f7b9695ee6ec3b924faab9d
view strings

vbaProject.bin at zip
md5: 8d309eba647c7bb23368ccd7168d5808
sha1: ffc49072147a65822503497ce71e401f230d0afa
sha256: c07b1cf19db8e7e63bf289ff2397f99db5ab485e893949baeaa0e74ad0bdff63
view strings