Cryptam // document analysis



Sample Details

original filename: 9426d7d4d837dca27618342bcf61d428.doc

size: 704512 bytes
submitted: 2017-06-14 03:25:04
md5: 9426d7d4d837dca27618342bcf61d428
sha1: 26ed6dfa5613adaa3b2ce9bfea25fcf913ae3161
sha256: 5954b501503844cb4e98fee5dbff931564863c82b4ea6aaf6cca34b4c47d143a
ssdeep: 6144:XdNNeIdNNeIdNNeA0OXgaBT49d4NYfU3HIv0MdRl2DU:Xbzbzb1DXxTk4NY83W0MdfZ
content/type: data
analysis time: 440.93 s
result: malware [85]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-145 6d54020de5e555b5389b578f782cd2c5
datastore-145.embedded.file activeX37.xml 93d2b180df5ec8102767e9e19d2605d8
datastore-145.activeX37.xml.21: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-145.embedded.file activeX1.bin f7971aa425ee0c86bb9464ef5900533e
embedded.file datastore-129366 6d54020de5e555b5389b578f782cd2c5
datastore-129366.embedded.file activeX37.xml 93d2b180df5ec8102767e9e19d2605d8
datastore-129366.activeX37.xml.21: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-129366.embedded.file activeX1.bin f7971aa425ee0c86bb9464ef5900533e
embedded.file datastore-258587 a64c34b21bc3423dbb0e8d4d228bfcee
datastore-258587.embedded.file activeX37.xml 93d2b180df5ec8102767e9e19d2605d8
datastore-258587.activeX37.xml.21: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-258587.embedded.file activeX1.bin f7971aa425ee0c86bb9464ef5900533e
1419: obfuscation.office RTF embedded Word Document
414131: string.This program cannot be run in DOS mode
423577: string.CreateWindowExA
dropped.file exe 28a2363410f311d6a84dc3e867eb6cc9 / 290459 bytes / @ 414053


Cryptanalysis


key length: 4 bytes
key:

occurrences in file: 36554
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

activeX37.xml at oxml
md5: 93d2b180df5ec8102767e9e19d2605d8
sha1: a4653e3b23480c14c3cfcd316d1d83481c135a0f
sha256: ab1a8144ffbd4f2403149e37ed31e49837ec9c8e792e1206035753fb976ddc3d
view strings

activeX1.bin at oxml
md5: f7971aa425ee0c86bb9464ef5900533e
sha1: 4bbc4f4ee3401c0776a0f7c76beb449ea0bdf273
sha256: a8faba39bebaf948e3aa88725a78fd8fb7bdf6d66c95481ef80e327de94bd050
view strings

datastore-258587 at rtf
md5: a64c34b21bc3423dbb0e8d4d228bfcee
sha1: 8d185fb1144b099889a13556c11c03afa3a86f42
sha256: ef30b2192e1913059236f0bd16ec8663c5eb02de792ba1e956c252e35f0e5ce3
view strings

exe at 414053
md5: 28a2363410f311d6a84dc3e867eb6cc9
sha1: 9f34774a4ff690c941047d97dedb2001bb0e63f8
sha256: f439f28ee5d866363936754482967d4ba94834bf79c1b64c89b49e604393f86d
view strings