Cryptam // document analysis



Sample Details

original filename: 4cc9a6b1d52ff87590ed7f779bc63c017294d00da89ebd812ad00089314cf163

size: 220699 bytes
submitted: 2013-06-12 06:01:13
md5: 5f1344d8375b449f77d4d8ecfcdeda9a
sha1: 8077a217bfb645ab0322ad695ae5c153804cc2a9
sha256: 4cc9a6b1d52ff87590ed7f779bc63c017294d00da89ebd812ad00089314cf163
ssdeep: 3072:HslNnZ2GZvgFf3bkv12nVe+IqjsCrNNPQboAFdRIYEmQ:HU/2Bmv+Pj/PYoAFPQ
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 10.75 s
result: malware [172]
embedded executable: found

signature hits:

2562: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
14385: exploit.office MSCOMCTL.OCX Toolbar MS12-060 B
2570: exploit.office MSCOMCTL.OCX Toolbar MS12-060
16018: suspicious.office Visual Basic macro
81113: string.This program cannot be run in DOS mode
76129: string.LoadLibraryA
75167: string.GetModuleHandleA
75361: string.GetCommandLineA
75567: string.GetProcAddress
146403: string.CreateProcessA
75421: string.EnterCriticalSection
75061: string.CloseHandle
75087: string.CreateFileA
70711: string.KERNEL32
69202: string.ExitProcess
dropped.file exe bf13ccb777f7175ecd567e757abcb0e4 / 79248 bytes / @ 81035
dropped.file doc 40943eb7b2d3179ed2551693c9422f19 / 60416 bytes / @ 160283


Yara Tags

doc_exploit_ms12_060_toolbar
apt_template_tran_duy_linh
apt_ice_beaver_icefog

Cryptanalysis


key length: 256 bytes
key:

occurrences in file: 62
entropy: 99.61%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 81035
md5: bf13ccb777f7175ecd567e757abcb0e4
sha1: 6d741abe34564de79e3835da9452e4f5657069c2
sha256: 768f7440ad335f38f5c16f9d4eed654aca1121b26956e58087eab7e34ff718d0
view strings

doc at 160283
md5: 40943eb7b2d3179ed2551693c9422f19
sha1: b5b12f91f2a43b3e1ddc0164294d1c60182dda80
sha256: 173950d56e2cf77870b709f2e99876ce22acc4c4958b2ee55d5861d648d41bcf
view strings