Cryptam // document analysis


Sample Details

original filename: ECEA6318B4F5EBA860B0251B57577759

size: 259233 bytes
submitted: 2013-10-11 11:31:26
md5: ecea6318b4f5eba860b0251b57577759
sha1: 37a19902c9cd7f1dbfd66b42136119afb2df6fc0
sha256: 760a90c71906971e9b9d13ee7f2493d2487bf8918527eacfc478fdaecf31075b
ssdeep: 6144:MqnCNX4y0M+sNrVfztzOpUur4RtMmtlKu0Dh60DG:Cb0M7JztSpUumtlKfE/
content/type: Microsoft Word 2007+
analysis time: 0.00 s
result: malware [186]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file activeX1.xml 1f8f8324b45ffd7fd990b91af8397bbe
activeX1.xml.77: suspicious.office embedded Flash in MSO file
embedded.file activeX1.bin dbff6aff20045dbd1f926e5208042b6a
activeX1.bin.5632: suspicious.flash FWS flash in MS Office document
activeX1.bin.429148: flash.exploit CVE-2012-5054 Matrix3D
activeX1.bin.6265: string.This program cannot be run in DOS mode
activeX1.bin.169897: string.LoadLibraryA
activeX1.bin.169695: string.GetModuleHandleA
activeX1.bin.171029: string.GetCommandLineA
activeX1.bin.147415: string.GetSystemMetrics
activeX1.bin.169677: string.GetProcAddress
activeX1.bin.190939: string.CreateProcessA
activeX1.bin.170571: string.EnterCriticalSection
activeX1.bin.170233: string.CloseHandle
activeX1.bin.170359: string.CreateFileA
activeX1.bin.173845: string.RegOpenKeyExA
activeX1.bin.173875: string.RegDeleteKeyA
activeX1.bin.146519: string.user32.dll
activeX1.bin.146439: string.shell32.dll
activeX1.bin.144367: string.KERNEL32
activeX1.bin.150814: string.ExitProcess
activeX1.bin.172291: string.GetMessageA
activeX1.bin.172989: string.CreateWindowExA
activeX1.bin.dropped.file exe c427721be043bb5a2dd746920ec2bc25 / 175912 bytes / @ 6187
activeX1.bin.dropped.file exe 5445475bfefc35f384d5e98bc5e507e9 / 254125 bytes / @ 182099


Yara Tags

win_registry_lockout

Strings

raw strings

Dropped Files

activeX1.xml at zip
md5: 1f8f8324b45ffd7fd990b91af8397bbe
sha1: 319a91b2d1fe8b3a801f3e4fe6928aee20b88eae
sha256: d74de6adb922a74c86280bdd2bf3034103ba8c4f41480beb6ef2a74f7df0f824
view strings

activeX1.bin at zip
md5: dbff6aff20045dbd1f926e5208042b6a
sha1: bb9f440e775d33df76369adbe05f58054f7b7475
sha256: 59cbfb3389b6b80ea26e0d53e31a5f0f903e6309c5d550940eba246a1392b9c3
view strings

exe at 6187
md5: c427721be043bb5a2dd746920ec2bc25
sha1: c94d1b8088db75fc084d6eccca5986474cbe76b0
sha256: c0716165a84d689309ad9fa9d83cf75ae8f548d85680a46b3b22146ec3938b95
view strings

exe at 182099
md5: 5445475bfefc35f384d5e98bc5e507e9
sha1: 33b84f1d732b539b6048344e46fb883a21992019
sha256: ad750b6f8e5ebe2b5ef221985a45e461e6e0cee2a7bbcaf6551a976ccea87da5
imphash: cf537e1fb8e5cc2d42de8de42a00683d
view strings