Cryptam // document analysis


Sample Details

original filename: TIckIt.xlsm

size: 1385325 bytes
submitted: 2018-04-12 06:40:02
md5: fc43a8a2d7e92b90f1803a351d13915d
sha1: 51f0a695600a59f8a0aa3d15135402d84386a95b
sha256: 80177b55e836165869cbc6f533c8d8700188a754f85141825ff0d3d138f5a4e1
ssdeep: 24576:elfGsgpNgfWEvmKl9n17Xe5dOG9tnvajb77wWJ2zYzc4ZSPr4k1Ai21:QGNLguEOKn17YP9BsPwPzYzcpjmi21
content/type: Microsoft Excel 2007+
analysis time: 0.00 s
result: malware [92]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file vbaProject.bin ab80d92b9e325d5c8f79aab6ec2451b0
vbaProject.bin.968643: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
vbaProject.bin.1435362: suspicious.office Visual Basic macro
vbaProject.bin.420415: string.GetSystemMetrics
vbaProject.bin.1449507: string.user32.dll
vbaProject.bin.1466296: string.shell32.dll
vbaProject.bin.327672: string.vbs On Error Resume Next
embedded.file activeX19.xml f206cb1410db3b11e9ffbb3d3025eef2
activeX19.xml.56: suspicious.office activeX
embedded.file activeX3.xml 9c4c200a6097bc4c4032935eea561ae5
activeX3.xml.56: suspicious.office activeX
embedded.file activeX2.xml e7a5e13ce6bb041147c1b611a27393f0
activeX2.xml.56: suspicious.office activeX
embedded.file oleObject1.bin 8c8a03a2c38b02c88d58a03e19c0d6bc
oleObject1.bin.embedded.file KPMG_PDF_UNLOCK.exe cf91a3a5b43d3d6efd6bcbde75675e38
oleObject1.bin.KPMG_PDF_UNLOCK.exe.78: string.This program cannot be run in DOS mode
oleObject1.bin.KPMG_PDF_UNLOCK.exe.269554: string.GetCommandLineA
oleObject1.bin.1104: suspicious.office Packager ClassID used by CVE-2014-6352 C
embedded.file sheet1.xml 1843639492f0024f179fbac98a92474c
sheet1.xml.13213: suspicious.office OOXML Class used by CVE-2014-6352 D


Strings

raw strings

Dropped Files

vbaProject.bin at zip
md5: ab80d92b9e325d5c8f79aab6ec2451b0
sha1: d57a85e2dd156db0c5e65cd99dcba38d7d88ddff
sha256: f41d0eef5abe82abb6eb0fb4639b03e0254867ea57a3f123b949bada17b7a36a
view strings

activeX19.xml at zip
md5: f206cb1410db3b11e9ffbb3d3025eef2
sha1: b564e89d4b3e1142fe9a9789d5ed4e1bf8fb45d4
sha256: 6d748d142a117bccd48336975ba6f37e9107ab725a223d02a1e6c1823d786574

activeX3.xml at zip
md5: 9c4c200a6097bc4c4032935eea561ae5
sha1: 13d3f8f77e99fb1258c8d909fbf499836ed926a5
sha256: 8b768c335abcfc936327e67a4612023ebcb7374dd52be3f558ed103799f9f10a

activeX2.xml at zip
md5: e7a5e13ce6bb041147c1b611a27393f0
sha1: d83b4314b94d2d3f116bb9b7eb25a85107adf16a
sha256: af40acf733ed2ee5319c46eb75655f14c0dadf46294c9ddbe2eb57edd2bc7ad6

oleObject1.bin at zip
md5: 8c8a03a2c38b02c88d58a03e19c0d6bc
sha1: b3a8b7191c75e0ad0347dcae063264a4675e2810
sha256: 6a8d84fac292522cc2e10c5a0a0375bbdeef4ed6280b9d52ba749c6b192a3054
view strings

KPMG_PDF_UNLOCK.exe at oxml
md5: cf91a3a5b43d3d6efd6bcbde75675e38
sha1: 656a42ffac288575eef402c1cb9cc903dc1326a0
sha256: f234def5bf1958556e8fb2c1ccc1fae86b3fc3a20cb5648bffa1bcb375056af3
view strings

sheet1.xml at zip
md5: 1843639492f0024f179fbac98a92474c
sha1: 1e0f6c97d346d83bbf904a572c644ff2cb684dd0
sha256: 809a36919ec914c341eec43519cd682c8942ca2a964b33e7f7a56678cf4429c0