Cryptam // document analysis


Sample Details

original filename: e92a4fc283eb2802ad6d0e24c7fcc857.virus

size: 106604 bytes
submitted: 2013-05-03 11:45:29
md5: e92a4fc283eb2802ad6d0e24c7fcc857
sha1: 988541c505fef37a48eca2cad926ec378a09a526
sha256: 2dd92dcfe5a46143b9a879122432e48ef0b9016736b66cd322f5c9fb5d3441dd
ssdeep: 1536:k5DGs/XWRgRgw6dvgi2F3SWqlsVSE/OR9AH/w6vmQcc:k5Dt/XE/dvghFCWqlsVn/kAI6vX
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 1.58 s
result: malware [86]
embedded executable: found

signature hits:

11776: suspicious.flash CWS flash in MS Office document
2577: suspicious.flash flash control in MS Office document
57522: rol2.string.This program cannot be run in DOS mode
68662: rol2.string.LoadLibraryA
68388: rol2.string.GetProcAddress
68526: rol2.string.GetEnvironmentVariableA
68464: rol2.string.CloseHandle
68740: rol2.string.KERNEL32
12266: cws.suspicious.flash jit_egg
12243: cws.exploit.flash flash calling malformed MP4 CVE-2012-0754 A
dropped.file exe 0bd8671cc6b6f7ae94bb5c04c12699d3 / 49160 bytes / @ 57444


Cryptanalysis

key length: 0 bytes
key:

entropy: 0.00%
rol bitwise: 2 | decode with: 6


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 57444
md5: 0bd8671cc6b6f7ae94bb5c04c12699d3
sha1: fe5f30d210ff6fef79166372a078b083c1a93072
sha256: 7194d547de15f3d09f9053bddd0c93e229049558038989a8a3b71fab0d914498
view strings