Cryptam // document analysis



Sample Details

original filename: 064c0e1b9157bfcaca62c2f06abd4b51aa289c1b1678c2688b1d7f36cc1335a8

size: 121872 bytes
submitted: 2014-01-14 01:09:13
md5: 1750a38a44151493b675538a1ac2070b
sha1: 4380b5336fa03554cbc5542a7460f7cc70adc8bb
sha256: 064c0e1b9157bfcaca62c2f06abd4b51aa289c1b1678c2688b1d7f36cc1335a8
ssdeep: 1536:dgMN5RvDXgBTiwWiE9Nc3Kk6iyyYTWr5yDByiR31E2U1nr1hd4PbB:dg4EY3HyKk6iyM52ySFE28bd4TB
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 159.58 s
result: malware [110]
embedded executable: found

signature hits:

2570: exploit.office ScriptBridge may load remote exploit
86936: xor_0x8f.not.string.LoadLibraryA
86424: xor_0x8f.not.string.GetModuleHandleA
86462: xor_0x8f.not.string.GetCommandLineA
86918: xor_0x8f.not.string.GetProcAddress
86360: xor_0x8f.not.string.GetEnvironmentVariableA
86386: xor_0x8f.not.string.CreateFileA
86044: xor_0x8f.not.string.user32.dll
86408: xor_0x8f.not.string.KERNEL32
86494: xor_0x8f.not.string.ExitProcess


Cryptanalysis


key length: 1 bytes
key:

zero space not replaced: yes
entropy: 100.00%
bitwise not: yes


Strings

raw strings
decrypted raw strings