Cryptam // document analysis



Sample Details

original filename: 7f76bae59eeb8cad3ed34a183d810d11.1

size: 1162425 bytes
submitted: 2018-02-09 18:36:11
md5: 7f76bae59eeb8cad3ed34a183d810d11
sha1: 585f4f747248db53999218cc3278fd47707fb608
sha256: 32365a708392b244296b7881bcf8dee04f836c03a46d640c35f569bf3d38464a
ssdeep: 24576:kb0tw4bfMpV7ceKPvi14LEt5k/W0DPwCna++V8TQheul:pwOMAtPq18Et5k+qH+GTQp
content/type: data
analysis time: 41.15 s
result: malware [275]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-933 67d6fd5e7778add0f919dd3cfb4f7b2f
datastore-933.2865: exploit.office MSCOMCTL.OCX Toolbar MS12-060
embedded.file datastore-24933 5e38e931485e7c20b9824824ed812137
datastore-24933.embedded.file activeX37.xml 2ebce8c16f89c291e4b3f38287b6137b
datastore-24933.activeX37.xml.200: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-24933.activeX37.xml.179: suspicious.office activeX
datastore-24933.embedded.file activeX19.xml b24ae77484b1064314c4baecdbd1e9a6
datastore-24933.activeX19.xml.199: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-24933.activeX19.xml.178: suspicious.office activeX
datastore-24933.embedded.file activeX15.xml 5eae4ac954263111f4b727ed5f353f87
datastore-24933.activeX15.xml.196: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-24933.activeX15.xml.175: suspicious.office activeX
datastore-24933.embedded.file activeX5.xml f6ca431a21c21ad276212b8fa584b948
datastore-24933.activeX5.xml.198: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-24933.activeX5.xml.177: suspicious.office activeX
datastore-24933.embedded.file activeX52.bin dbc29c66e0c15044c9d4e17b6ba1dbf9
datastore-24933.embedded.file activeX40.xml 4cc0689d9c801f8e8ffe8a26f7e18117
datastore-24933.activeX40.xml.230: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-24933.activeX40.xml.209: suspicious.office activeX
datastore-24933.embedded.file activeX30.xml 6614f5916e336b447fd692c80ffadeb8
datastore-24933.activeX30.xml.197: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-24933.activeX30.xml.176: suspicious.office activeX
embedded.file datastore-119263 5484d7dc2b55f946b94229a4e3006e38
datastore-119263.embedded.file document.xml 47c35a0453fe99f933db0975f9c753c1
datastore-119263.document.xml.45834: exploit.office SmartTag element parsing CVE-2015-1641
datastore-119263.document.xml.46167: exploit.office SmartTag element parsing CVE-2015-1641
11604: exploit.office RTF MSCOMCTL.OCX Toolbar MS12-060 C
22140: exploit.office RTF MSCOMCTL.OCX RCE CVE-2012-0158 obs D
5802: obfuscation.office RTF embedded Word Document
246934: string.GetModuleHandleA
246904: string.CreateFileA
246970: string.KERNEL32
204038: string.transposition cipher of This program cannot be run in DOS mode
dropped.file exe d1217c81cca33f5fcc4bed6cd948a36b / 913408 bytes / @ 203960
dropped.file doc b92841b66a46b9df287ff12bf10e4c5b / 45057 bytes / @ 1117368


Cryptanalysis


key length: 256 bytes
key:

occurrences in file: 96
entropy: 99.61%


Strings

raw strings
decrypted raw strings

Dropped Files

document.xml at oxml
md5: 47c35a0453fe99f933db0975f9c753c1
sha1: 899ff3e804ea5341c44ee95649977bba7707cc9e
sha256: 514f7bc97b4c934cfb930c16023f7d9b8a9a04ea60fe82210e342da251ff7181

datastore-119263 at rtf
md5: 5484d7dc2b55f946b94229a4e3006e38
sha1: 4aa4653c74928c247151911d7591b587de879780
sha256: c82694ac2cc5ee8ec64af304b130a65ef03813b2ef2d4876d20dfa08d38f7ac7
view strings

exe at 203960
md5: d1217c81cca33f5fcc4bed6cd948a36b
sha1: b1a299b2e29141618fd8ee1eba33f46dcbaa3f0a
sha256: d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e
view strings

doc at 1117368
md5: b92841b66a46b9df287ff12bf10e4c5b
sha1: 783aded41531277729d4479591fb26f232de13ed
sha256: 016d5a89a1361392b59627df2f6b690377d95bb6d54b3a388200bdfb78abca0c
view strings