Cryptam // document analysis



Sample Details

original filename: c68180570b1a9e040a90525ab67ca0a8.virus

size: 156710 bytes
submitted: 2017-10-07 20:14:17
md5: c68180570b1a9e040a90525ab67ca0a8
sha1: 10d8e017e595260029e8dab266e998d3cfb7164b
sha256: 04f1e396e8093d0392e78ee1326816fd20e67a90225d3e75e6c192215fcc183f
ssdeep: 3072:Y84pq6LMXP3w1hedJjFjdQhHt5eMFEEJ/uRiAAH1C7:k5Q3HFShN8MGdiPU
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 89.40 s
result: malware [82]
embedded executable: found

signature hits:

2563: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
2571: exploit.office MSCOMCTL.OCX Toolbar MS12-060
20946: suspicious.office Visual Basic macro
28750: string.This program cannot be run in DOS mode
32706: string.GetProcAddress
33920: string.CloseHandle
32982: string.KERNEL32
dropped.file exe 5a05dd2b2ee7c5718bbb87fd801ab416 / 6776 bytes / @ 28672
dropped.file exe 439c2611e4f6ebb27f9acad90e0abdb1 / 8776 bytes / @ 35448
dropped.file exe c95fe0754de68674775923504973cdda / 33720 bytes / @ 44224
dropped.file exe c26563819734dba7ec66bfee1beb6cdd / 11688 bytes / @ 77944
dropped.file exe c9f19987025dba068a19b5a36e947d9b / 36320 bytes / @ 89632
dropped.file doc a5f0c0db2eca0b5155c30946099ea7d2 / 30758 bytes / @ 125952


Cryptanalysis


key length: 32 bytes
key:

occurrences in file: 825
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 28672
md5: 5a05dd2b2ee7c5718bbb87fd801ab416
sha1: d7a93d32be323f946848c3426652e9dc2fdd07ab
sha256: 540c88e32c1d952bcf9773acddbc76a9e304fef4d65f5b80e170209f8c5ccda2
view strings

exe at 35448
md5: 439c2611e4f6ebb27f9acad90e0abdb1
sha1: acc53918bddc87d12645b2b073c490bf5a8db028
sha256: 1c403a06999930a924e4897d1e5c0541618b47f9971baf76a467e6e7756f22ad
view strings

exe at 44224
md5: c95fe0754de68674775923504973cdda
sha1: d268c7303813d7df6bb4f435402347e6f9d61e1c
sha256: a4835dacff466b224325c2ff342eaa08bbaef41e5f9509f6c3abba0c478f5b3e
view strings

exe at 77944
md5: c26563819734dba7ec66bfee1beb6cdd
sha1: 4b38f1b5ce446ff9a8d426be343baa6d31bc6d6b
sha256: 302997afd970513a45954c32d0025df57c8a056a996c1669903636733b038667
view strings

exe at 89632
md5: c9f19987025dba068a19b5a36e947d9b
sha1: a37997e9d4dce52753b4ab59e581e54004d0a413
sha256: 8b13c843025b5c907f9c49131236abf22e5e82dd49adf46c277c09b191524ade
view strings

doc at 125952
md5: a5f0c0db2eca0b5155c30946099ea7d2
sha1: bb3fa040079620fc9ce7a3ec9264ce8fea6f0380
sha256: 2576bfe8db0069553ed1833e854d9fe02c3d2b70607f6c4bfecc28390d9c8628
view strings