Cryptam // document analysis


Sample Details

original filename: New%20secretory%20list.doc

size: 68718 bytes
submitted: 2017-06-14 02:29:11
md5: ff8f6556897df62d4c4af518f715df97
sha1: 6998ac93f099c9497dad4c422ddb86ebf86b4a76
sha256: 47c8b680caaff83c000565a0649ee1419834329afd58505d8459ecac325a7f32
ssdeep: 1536:t2NFA1bRoKy/tl8wozfHP7uwEjPuHyzhQkMV0Nl5N:t2NFABRodtm2PuSzhPdNXN
content/type: Microsoft OOXML
analysis time: 0.00 s
result: malware [90]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file image1.eps 2c9147eb5c109dcc662adcc766be091f
image1.eps.embedded.file datastore-11683 d3f952dc22add0bb9c0729f80cc9ebc0
image1.eps.datastore-11683.5375: string.This program cannot be run in DOS mode
image1.eps.datastore-11683.40451: string.GetCommandLineA
image1.eps.datastore-11683.39999: string.GetProcAddress
image1.eps.datastore-11683.40557: string.EnterCriticalSection
image1.eps.datastore-11683.40045: string.KERNEL32
image1.eps.datastore-11683.30812: string.ExitProcess
image1.eps.datastore-11683.dropped.file exe 4d8eaaf1e6f6f0f31b9784fe5cb70214 / 44836 bytes / @ 5297
image1.eps.datastore-11683.dropped.file exe df8df91ba2e4fc7e8b55550a741fff2d / 46592 bytes / @ 50133
image1.eps.3818: exploit.office PostScript CVE-2015-2545
image1.eps.9995: string.KERNEL32


Strings

raw strings

Dropped Files

image1.eps at zip
md5: 2c9147eb5c109dcc662adcc766be091f
sha1: 7b8485e1dc7ae7be71ac34cd3017b8909580d3b8
sha256: d1d1323efacd4434810b197ba715313651a989abd4ca0f4d7df8365f9427d19f
view strings

exe at 5297
md5: 4d8eaaf1e6f6f0f31b9784fe5cb70214
sha1: 5c167bbb44fb0fbd543ab2c1d9a9d6e31743b410
sha256: 2bdf46a4671e3f85592026f86405cb7a51b6115270ff3ea3672707d627fe1435
imphash: b495c9756d2ec11775832042cd9037cd
view strings

exe at 50133
md5: df8df91ba2e4fc7e8b55550a741fff2d
sha1: ce58a7e1b736cf72471f8ab41b740e3c2f788f8a
sha256: 06881da599c8db18fba889c5fcbc22e8146e9b79c2d7869501c838bcb7af273a
imphash: 6b4e43907ba8940005865b96292fd7a6
view strings

datastore-11683 at rtf
md5: d3f952dc22add0bb9c0729f80cc9ebc0
sha1: 7d53abf35b75ab24bc04d112fb69a0ceca21b539
sha256: fbc6c9b3ced793873593f3517de13693557ef81ce92a17e4c3de848169face56
view strings