Cryptam // document analysis



Sample Details

original filename: e4249e8b82c63526a6498784b267b756.1

size: 882125 bytes
submitted: 2018-02-09 18:56:00
md5: e4249e8b82c63526a6498784b267b756
sha1: ff6fdd1868f3a4dcff88ce02d840fc795e98ae7e
sha256: 25b5737c25a1dee1a64ba5032fc7f32978e4af0a238b7c0ae13b8acb48df2d17
ssdeep: 24576:SHK5C1V5rQgjiMHFAFVhXOlz2BRkexm8tJNZ:2lAFVhoz2BjxmIJN
content/type: data
analysis time: 55.33 s
result: malware [278]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-162 021a9cdf96ecdb7f3906bf687c2ad43c
datastore-162.embedded.file ActiveX14.xml 697982b692868d0fd05910954e0e971a
datastore-162.ActiveX14.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-162.ActiveX14.xml.56: suspicious.office activeX
datastore-162.embedded.file activeX1.bin 23cc315702179b8552b702892e433801
embedded.file datastore-98578 0566606b68747e4a67544f99990350fe
datastore-98578.embedded.file document.xml 254ccbc792e77ed08b4d76727ad63907
datastore-98578.document.xml.43717: exploit.office SmartTag element parsing CVE-2015-1641
datastore-98578.document.xml.44050: exploit.office SmartTag element parsing CVE-2015-1641
embedded.file datastore-161176 05abaeea261362002fdb3387ae744542
datastore-161176.embedded.file ActiveX17.xml 697982b692868d0fd05910954e0e971a
datastore-161176.ActiveX17.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-161176.ActiveX17.xml.56: suspicious.office activeX
datastore-161176.embedded.file ActiveX40.xml aa410ab76f7122c2a17c5f8645d47d40
datastore-161176.ActiveX40.xml.77: exploit.office Sandbox Overflow class id CVE-2015-1770
datastore-161176.ActiveX40.xml.56: suspicious.office activeX
datastore-161176.embedded.file ActiveX1.bin 4361d776a59566a0aaa5ba48db11f7a3
334603: string.This program cannot be run in DOS mode
794697: string.LoadLibraryA
677108: string.GetModuleHandleA
677346: string.GetSystemMetrics
675616: string.GetProcAddress
832049: string.CreateProcessA
676678: string.EnterCriticalSection
675472: string.CloseHandle
676822: string.CreateFileA
797049: string.RegOpenKeyExA
797033: string.RegDeleteKeyA
822320: string.user32.dll
790111: string.shell32.dll
677144: string.KERNEL32
676448: string.ExitProcess
796699: string.GetMessageA
795549: string.CreateWindowExA
dropped.file exe c007126e4ae31fec78b5f22c6f44c1af / 20804 bytes / @ 334525
dropped.file exe 2295e1a2007ee4fb518d3bf1236daaba / 6661 bytes / @ 355329
dropped.file exe 249618a06a84d78227e0f491365b5819 / 351845 bytes / @ 361990
dropped.file exe 21ba9fb6c8039b41bb14b3ce72f4d56b / 168290 bytes / @ 713835


Cryptanalysis


key length: 4 bytes
key:

occurrences in file: 146
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

ActiveX17.xml at oxml
md5: 697982b692868d0fd05910954e0e971a
sha1: a86a5e7a04472429853fc8e7cb527068d81a1493
sha256: 5923857ab213b3b29348babfea4bf9590c4a3b193395eb0897d3934d4d29b158
view strings

ActiveX40.xml at oxml
md5: aa410ab76f7122c2a17c5f8645d47d40
sha1: ef34618fe02db69e3a00b93142102e78e6a4f93f
sha256: 6514a03cde437a6f747d0b698cb8f23fba70914d992e8d0bd1990dfb84d3dbc0
view strings

ActiveX1.bin at oxml
md5: 4361d776a59566a0aaa5ba48db11f7a3
sha1: 317a215e3ba4b7b4ffbc7c31aa4e165b733031d9
sha256: e57c83fab935d0d1310201cd5699e62f468b4fd49b31f651481f8f1ac11eb1d6
view strings

datastore-161176 at rtf
md5: 05abaeea261362002fdb3387ae744542
sha1: 63bd5e975b1c367e12c4c2a1470ffe47587440a8
sha256: 077d99f41ff56729521911cb022df70e312118e365b43afb4004287352737ebd
view strings

exe at 334525
md5: c007126e4ae31fec78b5f22c6f44c1af
sha1: 3156640171839bd0e01757f1d8d52329c9609350
sha256: 19975c594fa9e9a6f8772eb0ca1ad82fd72880b9467a832194b5bcb96a66a61b
view strings

exe at 355329
md5: 2295e1a2007ee4fb518d3bf1236daaba
sha1: 66dd1eab0df6bbc716b4486d17017df2574cc53c
sha256: fcc92fb7fbe64e1919c46fa5bc5e2c4d64505dd34b067c80e42456d1fb3ede25
view strings

exe at 361990
md5: 249618a06a84d78227e0f491365b5819
sha1: 8450c694c1e14186b087497a2a812f389f73f036
sha256: 18a70c6117698541a875fe457e2bb515aa93a1c1f4ffb6ece61f1258d9a8a5c4
view strings

exe at 713835
md5: 21ba9fb6c8039b41bb14b3ce72f4d56b
sha1: 7d3d121f31a216bf363e82bb0774668167668010
sha256: fb7706e2b70c46350502a4e254b88027c288e5c318d726d194be769d6a145ca3
view strings