Cryptam // document analysis



Sample Details

original filename: 264fc247c96a618dc7c6a1186e342614.doc

size: 881021 bytes
submitted: 2017-06-14 02:22:35
md5: 264fc247c96a618dc7c6a1186e342614
sha1: 7daca735637b7146b66df4ef36ff7fe0a4035d34
sha256: 4b0de57a011ebda50413cc04343b4a5b47d85c4722f173fdb0c4ce48895158c5
ssdeep: 24576:aXaJy1NBYAhJXF4Z642tb5mH2ZqLug4c:iJXyYd95mYqLz4c
content/type: data
analysis time: 431.08 s
result: malware [112]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-124 ff036958f9a1e8175ddbfacf82b78f53
datastore-124.embedded.file ActiveX14.xml 697982b692868d0fd05910954e0e971a
datastore-124.ActiveX14.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-124.embedded.file activeX1.bin 23cc315702179b8552b702892e433801
embedded.file datastore-98542 428dbcbf0b2e5b6f5efce544236a03d6
datastore-98542.embedded.file document.xml 254ccbc792e77ed08b4d76727ad63907
datastore-98542.document.xml.43717: exploit.office SmartTag element parsing CVE-2015-1641
datastore-98542.document.xml.44050: exploit.office SmartTag element parsing CVE-2015-1641
embedded.file datastore-161120 c95d227674f81da1f6aeb2a07a01735f
datastore-161120.embedded.file activeX37.xml 697982b692868d0fd05910954e0e971a
datastore-161120.activeX37.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-161120.embedded.file activeX39.xml aa410ab76f7122c2a17c5f8645d47d40
datastore-161120.activeX39.xml.77: exploit.office Sandbox Overflow class id CVE-2015-1770
datastore-161120.embedded.file ActiveX1.bin 4361d776a59566a0aaa5ba48db11f7a3
836433: string.GetCommandLineA
dropped.file rtf b5f35730aa6c2ed905469b227f37a84d / 73358 bytes / @ 807663


Cryptanalysis


key length: 1024 bytes
key:

entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

activeX37.xml at oxml
md5: 697982b692868d0fd05910954e0e971a
sha1: a86a5e7a04472429853fc8e7cb527068d81a1493
sha256: 5923857ab213b3b29348babfea4bf9590c4a3b193395eb0897d3934d4d29b158
view strings

activeX39.xml at oxml
md5: aa410ab76f7122c2a17c5f8645d47d40
sha1: ef34618fe02db69e3a00b93142102e78e6a4f93f
sha256: 6514a03cde437a6f747d0b698cb8f23fba70914d992e8d0bd1990dfb84d3dbc0
view strings

ActiveX1.bin at oxml
md5: 4361d776a59566a0aaa5ba48db11f7a3
sha1: 317a215e3ba4b7b4ffbc7c31aa4e165b733031d9
sha256: e57c83fab935d0d1310201cd5699e62f468b4fd49b31f651481f8f1ac11eb1d6
view strings

datastore-161120 at rtf
md5: c95d227674f81da1f6aeb2a07a01735f
sha1: 95143d00b1c8cee33024d5b2f96046e6f325641d
sha256: 9a4d3072ffcb72d430268d63357f32d68b8ea7bf5cd229a7fdb3af1d76f5fd6a
view strings

rtf at 807663
md5: b5f35730aa6c2ed905469b227f37a84d
sha1: 53ef5407265ae1b1b080c58d943ff86ccf74daca
sha256: c84b7e86f286d82326c7ca19d26508769b2b3ca6b6f99e3a090d8619e4336d2b
view strings