Cryptam // document analysis



Sample Details

original filename: 85c56341d68a0d57f92fd084ae10c80c.virus

size: 156698 bytes
submitted: 2018-04-11 17:35:20
md5: 85c56341d68a0d57f92fd084ae10c80c
sha1: cb48f65583748e322df005481dddb05c8ec46fc4
sha256: 297559d5aaaea40ccd751c69e553e273d9dae80b154922d800263ba33401ab58
ssdeep: 3072:Y84pq6LMXP3w1hedJjFjdQhHt5eMFEEJ/uRiAAH1CG:k5Q3HFShN8MGdiPl
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 96.95 s
result: malware [82]
embedded executable: found

signature hits:

2563: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
2571: exploit.office MSCOMCTL.OCX Toolbar MS12-060
20946: suspicious.office Visual Basic macro
28750: string.This program cannot be run in DOS mode
32706: string.GetProcAddress
33920: string.CloseHandle
32982: string.KERNEL32
dropped.file exe 5a05dd2b2ee7c5718bbb87fd801ab416 / 6776 bytes / @ 28672
dropped.file exe 439c2611e4f6ebb27f9acad90e0abdb1 / 8776 bytes / @ 35448
dropped.file exe c95fe0754de68674775923504973cdda / 33720 bytes / @ 44224
dropped.file exe c26563819734dba7ec66bfee1beb6cdd / 11688 bytes / @ 77944
dropped.file exe c9f19987025dba068a19b5a36e947d9b / 36320 bytes / @ 89632
dropped.file doc b5a7af0472d5bf3fc08bd7bc72019e4f / 30746 bytes / @ 125952


Cryptanalysis


key length: 32 bytes
key:

occurrences in file: 825
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 28672
md5: 5a05dd2b2ee7c5718bbb87fd801ab416
sha1: d7a93d32be323f946848c3426652e9dc2fdd07ab
sha256: 540c88e32c1d952bcf9773acddbc76a9e304fef4d65f5b80e170209f8c5ccda2
view strings

exe at 35448
md5: 439c2611e4f6ebb27f9acad90e0abdb1
sha1: acc53918bddc87d12645b2b073c490bf5a8db028
sha256: 1c403a06999930a924e4897d1e5c0541618b47f9971baf76a467e6e7756f22ad
view strings

exe at 44224
md5: c95fe0754de68674775923504973cdda
sha1: d268c7303813d7df6bb4f435402347e6f9d61e1c
sha256: a4835dacff466b224325c2ff342eaa08bbaef41e5f9509f6c3abba0c478f5b3e
view strings

exe at 77944
md5: c26563819734dba7ec66bfee1beb6cdd
sha1: 4b38f1b5ce446ff9a8d426be343baa6d31bc6d6b
sha256: 302997afd970513a45954c32d0025df57c8a056a996c1669903636733b038667
view strings

exe at 89632
md5: c9f19987025dba068a19b5a36e947d9b
sha1: a37997e9d4dce52753b4ab59e581e54004d0a413
sha256: 8b13c843025b5c907f9c49131236abf22e5e82dd49adf46c277c09b191524ade
view strings

doc at 125952
md5: b5a7af0472d5bf3fc08bd7bc72019e4f
sha1: 72b4a2fdabf7cff79f13367b18e0697fb1c2efbf
sha256: c0855f26e4e92c5e6842e338c0e490607bd65ffde9077b348490065eb0ce3ccf
view strings