Cryptam // document analysis


Sample Details

original filename: oleObject1.bin

size: 3701760 bytes
submitted: 2017-06-14 03:54:08
md5: 95aa7a5ad98277803f9e9f68b0368896
sha1: 1ae79d7ed52a86ab901f3e420eb9f8e1205d3152
sha256: 7b868d953cdcb3fa3f466eee16cf844b582ce581fdde817b95758913dbcd55a5
ssdeep: 98304:hMG2qdM5iA/qHwuMb3erYvq59VyMeTRoJjn:hndM5NPzEQ29V+oVn
content/type: Composite Document File V2 Document, No summary info
analysis time: 8378.35 s
result: malware [282]
embedded executable: found

signature hits:

embedded.file _hashlib.pyd fc961b9ecc1737ad18da5a120ad2b322
_hashlib.pyd.78: string.This program cannot be run in DOS mode
_hashlib.pyd.298620: string.LoadLibraryA
_hashlib.pyd.298602: string.GetProcAddress
_hashlib.pyd.298574: string.CloseHandle
_hashlib.pyd.265924: string.KERNEL32
embedded.file bz2.pyd d276ae9856f2a6cd155b1e76f69cd6e2
bz2.pyd.78: string.This program cannot be run in DOS mode
bz2.pyd.56522: string.KERNEL32
embedded.file _AES.pyd dd3db5480eb52e8f69d47f3b725e6bfb
_AES.pyd.78: string.This program cannot be run in DOS mode
_AES.pyd.25116: string.KERNEL32
embedded.file _ctypes.pyd 1c09c83703728323dcc77582c2e65408
_ctypes.pyd.78: string.This program cannot be run in DOS mode
_ctypes.pyd.69392: string.LoadLibraryA
_ctypes.pyd.69282: string.GetProcAddress
_ctypes.pyd.69486: string.KERNEL32
embedded.file unicodedata.pyd d14086b50975648c7126afdcdf3ffcd0
unicodedata.pyd.78: string.This program cannot be run in DOS mode
unicodedata.pyd.16508: string.KERNEL32
embedded.file select.pyd 56cf106764ecb7540fe04565d87def44
select.pyd.78: string.This program cannot be run in DOS mode
select.pyd.7840: string.KERNEL32
3672144: suspicious.office Packager ClassID used by CVE-2014-6352 C
705: string.This program cannot be run in DOS mode
12313: string.LoadLibraryA
12371: string.GetModuleHandleA
12295: string.GetProcAddress
2014069: string.CreateProcessA
2014123: string.GetEnvironmentVariableA
12213: string.CloseHandle
12263: string.CreateFileA
2015067: string.RegOpenKeyExA
2014953: string.RegDeleteKeyA
12833: string.KERNEL32
dropped.file exe e55679e0a29d5d5a4647c6b9cad5ee6f / 15644 bytes / @ 627
dropped.file exe 73e11f834c900dfa4b7c83c9cd9616e6 / 3685489 bytes / @ 16271


Strings

raw strings
decrypted raw strings

Dropped Files

_hashlib.pyd at oxml
md5: fc961b9ecc1737ad18da5a120ad2b322
sha1: 34937f95b7cb18a86bc4444af4c61779618e47fe
sha256: 61417780b2f2a0a0e3b9f9cf5a8ce1a9ee03cf2eac5e9b1fec9748131e2f4b5a
view strings

bz2.pyd at oxml
md5: d276ae9856f2a6cd155b1e76f69cd6e2
sha1: 743b295bb0af3b4eb1cd8327b2d5673d1f21cc07
sha256: ea06e960d254530b007f2ef276d1fc715e5ae7a9d612eaa9ef0044371d58811a
view strings

_AES.pyd at oxml
md5: dd3db5480eb52e8f69d47f3b725e6bfb
sha1: cb14cda7f5e3e2b88c823e4d15643680398b361e
sha256: 51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe
view strings

_ctypes.pyd at oxml
md5: 1c09c83703728323dcc77582c2e65408
sha1: d389d2442c9cb0ce7cb1bc71c533942f29254ce3
sha256: 8645cc776b2c654bc052af10c1ba7da9bf3f8aceb7e6580d71d13a31bdf43402
view strings

unicodedata.pyd at oxml
md5: d14086b50975648c7126afdcdf3ffcd0
sha1: 9e6e856e06f984a2424ef37e8259ed18d00d24d0
sha256: da0097616604371556eda1adc58bbfc9de28d233c5ded9a84e85d4821533e393
view strings

select.pyd at oxml
md5: 56cf106764ecb7540fe04565d87def44
sha1: 450d9d3118b9b345f1aec4d3379f863b9ed8fad3
sha256: 12af282a1f91376843c157c8b1d96db1d7f7d8c1db38fb9067000fb3ba4ab16d
view strings

exe at 627
md5: e55679e0a29d5d5a4647c6b9cad5ee6f
sha1: 4dec3bfcf9ede8342881612980de5639e473608a
sha256: 2f0937b207083b5e5bfaa05f63ce8cc5f14e1e887a8428401d5f6d3eed6f2158
view strings

exe at 16271
md5: 73e11f834c900dfa4b7c83c9cd9616e6
sha1: 91f8a6d69ad2ff9e12a638ad67abbe599bdba2b8
sha256: cbd465d1b02bbefbbd37c104b9450e39dc72ff2af0e8f01d9a264697a13cfd34
view strings