Cryptam // document analysis



Sample Details

original filename: 7d0dd52a21c069010bdf23e5265d5247.1

size: 1256133 bytes
submitted: 2018-02-09 19:15:03
md5: 7d0dd52a21c069010bdf23e5265d5247
sha1: 7e5d228b4bb60d8084c84500df8f20657110f105
sha256: 5229a1abeda9007363095443eab52cdc54fcaf97a8df1266ec8259b6fa61b272
ssdeep: 24576:YBCAT7qtK5m1V5kQ//smu86cKX3aTIrIkFOcIG3yRgtxGhNWR7:F/uFaTJG3yju
content/type: data
analysis time: 419.42 s
result: malware [59]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-161828 42489e79720c4deb398eca92c201b2ca
datastore-161828.embedded.file activeX37.xml 697982b692868d0fd05910954e0e971a
datastore-161828.activeX37.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-161828.activeX37.xml.56: suspicious.office activeX
datastore-161828.embedded.file activeX39.xml aa410ab76f7122c2a17c5f8645d47d40
datastore-161828.activeX39.xml.77: exploit.office Sandbox Overflow class id CVE-2015-1770
datastore-161828.activeX39.xml.56: suspicious.office activeX
datastore-161828.embedded.file ActiveX1.bin 4361d776a59566a0aaa5ba48db11f7a3
embedded.file datastore-497262 f9c5af289509169d376bc7cf9c0a9b61
embedded.file datastore-515774 d4ad3632cc5147175888b2bae976a61c
247: obfuscation.office RTF embedded Word Document
272900: string.This program cannot be run in DOS mode
dropped.file exe 7d0b7169265b723fc3b558f4e3dbec36 / 983311 bytes / @ 272822


Cryptanalysis


key length: 4 bytes
key:

occurrences in file: 88
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

datastore-515774 at rtf
md5: d4ad3632cc5147175888b2bae976a61c
sha1: db21caa0b658a7e54ece52bb8ad4451d26cd1bff
sha256: 96e64f1a4962052a6163fb36544b82375b89dbb8aca00497802499e64370c654
view strings

exe at 272822
md5: 7d0b7169265b723fc3b558f4e3dbec36
sha1: 4c7f5263ed56d2748ce7d43eca21116dc1aa1286
sha256: 62f4c66a9b200bb12c778f8d10dc2ace3dd98223873fa3d5d83ca934d1eca0ae
view strings