Cryptam // document analysis



Sample Details

original filename: 742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3

size: 298496 bytes
submitted: 2013-05-27 22:32:33
md5: 7e3770351aed43fd6c5cab8e06dc0300
sha1: b4562ef0cd54234374ff9d24e0d1b01c1db5e873
sha256: 742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3
ssdeep: 3072:hHNqm9x2CAUTuKRTnwQ59LJWKMFjBKFS/JEVglzIeLw:htqAcCAUCKRTwoxJXKjBKFShEVgzw
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 2.65 s
result: malware [128]
embedded executable: found

signature hits:

13824: suspicious.flash FWS flash in MS Office document
2561: suspicious.flash flash control in MS Office document
64688: flash.exploit CVE-2012-1535
64936: flash.exploit CVE-2012-1535
68878: string.This program cannot be run in DOS mode
137728: string.LoadLibraryA
86010: string.GetModuleHandleA
86890: string.GetSystemMetrics
137574: string.GetProcAddress
86594: string.EnterCriticalSection
86126: string.CloseHandle
137932: string.CreateFileA
86644: string.KERNEL32
86030: string.ExitProcess
86700: string.GetMessageA
86790: string.CreateWindowExA
dropped.file exe a18561480b9212b9eae6735cadf2d01d / 24672 bytes / @ 68800
dropped.file exe 7f12ada63eff2a3561505fd4cb9815e5 / 205024 bytes / @ 93472


Cryptanalysis


key length: 256 bytes
key:

occurrences in file: 78140
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 68800
md5: a18561480b9212b9eae6735cadf2d01d
sha1: 89ac6a5d9470cc6da541d2888ba6ff6a69d751d4
sha256: d5c6f2bb0565b7b468045a58b10b06ab21c1d405c710c7f9e5e6ec85310670ed
view strings

exe at 93472
md5: 7f12ada63eff2a3561505fd4cb9815e5
sha1: d51e80eae2d4aba284d6b18871593cb439106301
sha256: 41f023f625241f5730c355ba052a7d7b25bc905cc2b296ae40679fbabce34efe
view strings