Cryptam // document analysis



Sample Details

original filename: LaOL.doc

size: 1034890 bytes
submitted: 2017-03-15 17:32:06
md5: 3cc49c10898ef6279bc0b073b46ad9ba
sha1: 6831dfbf7e4634d238c97264df5f0a1bd37216df
sha256: 10a20110b781cfccb910d21764d5cc4f930f00f22869014a48ab72d707f890a3
ssdeep: 24576:lRdo3xJBcr7/GkWCZ5kC3Ss/Gj+2GDbaWiHi:lzyBcv/GkvSCCs/Gj+2GDbaWS
content/type: data
analysis time: 28.84 s
result: malware [200]
embedded executable: found

signature hits:

63850: exploit.office RTF memory corruption listoverridecount CVE-2012-2539 CVE-2014-1761
182866: string.This program cannot be run in DOS mode
953238: string.LoadLibraryA
953018: string.GetModuleHandleA
954992: string.GetCommandLineA
876956: string.GetSystemMetrics
952862: string.GetProcAddress
952928: string.CreateProcessA
954538: string.EnterCriticalSection
953952: string.GetEnvironmentVariableA
952898: string.CloseHandle
953664: string.CreateFileA
949588: string.RegDeleteKeyA
878612: string.user32.dll
888604: string.shell32.dll
954342: string.KERNEL32
905303: string.ExitProcess
951354: string.GetMessageA
950800: string.CreateWindowExA
dropped.file exe ebd2cc7f6d83183384bf553df2dadb30 / 696056 bytes / @ 182788
dropped.file rtf 5b01f93cf2e7ce6a86f53d4ae7819822 / 156046 bytes / @ 878844


Cryptanalysis


key length: 4 bytes
key:

entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 182788
md5: ebd2cc7f6d83183384bf553df2dadb30
sha1: 0858b546656f413776fba4f696ded8776ad6957b
sha256: b089b084f9b4792d90ad4b38408a3e297f4a8c12c7001469527fd68e2d7922e8
view strings

rtf at 878844
md5: 5b01f93cf2e7ce6a86f53d4ae7819822
sha1: 076c444d0e95e6412025dc782dd5e828d54c44ff
sha256: e8c9b43d551d7c76c713eea43eb3a4f696d251cf4ef19baf393fb3c9970596da
view strings