Cryptam // document analysis



Sample Details

original filename: 5e86909ba9a34f93f29b71cc60d9ad583967735c76cc04f9fd7915b5eabe238d

size: 452318 bytes
submitted: 2014-04-11 04:49:03
md5: b2b8127bae5b61e258b17dc057338075
sha1: afbfe304f0a8fc35cb0f47577c2ebf56a3770caa
sha256: 5e86909ba9a34f93f29b71cc60d9ad583967735c76cc04f9fd7915b5eabe238d
ssdeep: 6144:x74Xz11w6jKOwCkf3SaAg+0clo3depkZj5u0GWLFoi6Raq2y:2XzDw6j51kCg+bec+GWB16R12y
content/type: Rich Text Format data, version 1, unknown character set
analysis time: 220.30 s
result: malware [118]
embedded file objects: yes

signature hits:

embedded.file datastore-4682 52752cda21cb090a9cd6e038bdbc6556
datastore-4682.3781: suspicious.office MSCOMCTL.OCX ImageComboCtl
datastore-4682.11: suspicious.office OLE MSCOMCTL.OCX ImageComboCtl
datastore-4682.2980: suspicious.office OLE MSCOMCTL.OCX ImageComboCtl wide
embedded.file datastore-20185 c07523f79d5d46e44c68bb3c64d21543
datastore-20185.2223: suspicious.office ActiveX content TreeCtrl.2
embedded.file datastore-83371 f385145162212d21bf26bf14907286b0
datastore-83371.78: xor_0xbf.string.This program cannot be run in DOS mode
datastore-83371.50292: xor_0xbf.string.LoadLibraryA
datastore-83371.49600: xor_0xbf.string.GetModuleHandleA
datastore-83371.49638: xor_0xbf.string.GetCommandLineA
datastore-83371.48664: xor_0xbf.string.GetProcAddress
datastore-83371.49990: xor_0xbf.string.GetEnvironmentVariableA
datastore-83371.48818: xor_0xbf.string.CloseHandle
datastore-83371.46680: xor_0xbf.string.user32.dll
datastore-83371.49334: xor_0xbf.string.KERNEL32
datastore-83371.49656: xor_0xbf.string.ExitProcess
datastore-83371.dropped.file exe c7eb8a4486593a850d54be1204a5cc41 / 159744 bytes / @ 0
datastore-83371.dropped.file doc cb2a99503c354792959761ff335127af / 22016 bytes / @ 159744
20120: suspicious.office ActiveX content TreeCtrl.2
24667: suspicious.office ActiveX content TreeCtrl.2
22481: suspicious.office ActiveX content TreeCtrl.1 clsid
4633: suspicious.office RTF MSCOMCTL.OCX ImageComboCtl
4642: suspicious.office MSCOMCTL.OCX ImageComboCtl


Yara Tags

activex_imagecombo

Strings

raw strings

Dropped Files

exe at 0
md5: c7eb8a4486593a850d54be1204a5cc41
sha1: b6b9b7c9ae063cec603c56b43f0aff89614a0a69
sha256: 7371c60279c68922311d2c08fbca0bf8ba71be80b541c1ab3eb36250dceac9b8
view strings

doc at 159744
md5: cb2a99503c354792959761ff335127af
sha1: b9ac4714c65cc4143a7efb288fafb0f547203e7a
sha256: 97414afb78e33e7b8c73b471ff5b772e5c5a9a3614d2b0a6f1db491c0f0f4207
view strings

datastore-83371 at rtf
md5: f385145162212d21bf26bf14907286b0
sha1: 67fa8b1fbac480f4a268fb8ce96ba659d312de0b
sha256: d872425742ee02155bfa9e7bae57b986264a7a07786a10642aaf81f1030f0c69
view strings