Cryptam // document analysis


Sample Details

original filename: 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a

size: 299024 bytes
submitted: 2014-12-22 05:06:26
md5: 0dbe90b1dca29e2daf28ff789b3d43d3
sha1: 71999500915dff038dc2d39facecbfbb5a907f96
sha256: 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
ssdeep: 3072:BslVmSI1eRbNe/V7gxzOLmQM8BfFKR2vSAWKG9zPs99j/iwnAuCnKrNcAfihHX31:BUg1abgVMOLmQ1BtKmSYNfA9KniF3
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 21.08 s
result: malware [142]
embedded executable: found

signature hits:

2562: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
14385: exploit.office MSCOMCTL.OCX Toolbar MS12-060 B
2570: exploit.office MSCOMCTL.OCX Toolbar MS12-060
16018: suspicious.office Visual Basic macro
249950: string.This program cannot be run in DOS mode
289984: string.GetCommandLineA
290250: string.GetProcAddress
290680: string.EnterCriticalSection
290998: string.CloseHandle
289740: string.RegOpenKeyExA
289946: string.KERNEL32
282215: string.ExitProcess
dropped.file exe 3a5ca9d5b3dda62a5413fac3d497d6c2 / 49152 bytes / @ 249872


Yara Tags

doc_exploit_ms12_060_toolbar
malware_kis

Strings

raw strings
decrypted raw strings

Dropped Files

exe at 249872
md5: 3a5ca9d5b3dda62a5413fac3d497d6c2
sha1: 13bd80446c74579b8ba81789ca643ae90b2c05d0
sha256: 2930e6578fb002dc6c06ee36fa957836cdcf781173f42664d5ca05c1d1850477
view strings