Cryptam // document analysis


Sample Details

original filename: documents.xlsx

size: 847136 bytes
submitted: 2017-03-16 00:53:10
md5: 74ce548d661b4b022bca1ca13dd27707
sha1: 6b333ed0a357c01138102663d64159f180359c85
sha256: 8954b4e9aa1af9ff33b48a8589ea6b88b363736f3ad179df2e99f8fafbeafce0
ssdeep: 12288:1TF1A4rqCWE/p//Fn0P9err3EZzQGmYdyyhbeHx68wcZb04St2bWA1FYmZHThj9Y:5bZrqA//FIekNRmYJbso8wc7hFlth5Y
content/type: Microsoft Excel 2007+
analysis time: 0.00 s
result: malware [74]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file oleObject1.bin 5958ff05267f6487d3ae7cf1e78ee859
oleObject1.bin.1104: suspicious.office Packager ClassID used by CVE-2014-6352 C
oleObject1.bin.9445: string.This program cannot be run in DOS mode
oleObject1.bin.90977: string.GetSystemMetrics
oleObject1.bin.90199: string.GetProcAddress
oleObject1.bin.89513: string.CloseHandle
oleObject1.bin.89641: string.CreateFileA
oleObject1.bin.90805: string.KERNEL32
oleObject1.bin.90155: string.ExitProcess
oleObject1.bin.dropped.file exe a63c6279cec68f20ddd34594353c7220 / 874345 bytes / @ 9367
embedded.file sheet1.xml bb64e95887281c8d5ab905f94f4bdae6
sheet1.xml.1253: suspicious.office OOXML Class used by CVE-2014-6352 D


Yara Tags

winrar_sfx

Strings

raw strings

Dropped Files

oleObject1.bin at zip
md5: 5958ff05267f6487d3ae7cf1e78ee859
sha1: 351db31105592e6d851e1be4d872e57646c80d6b
sha256: 8d5b0c9e1b88056f1fdb25e45ddc7210ce44f485a351a9d9301da5b680c8031b
view strings

exe at 9367
md5: a63c6279cec68f20ddd34594353c7220
sha1: fb68739b67848363c10b44725b36ea54e3913919
sha256: 801934cfd587645af9d718d278175d4f7209b58364134f8427c5c4bac46bb50e
imphash: 3c98c11017e670673be70ad841ea9c37
view strings

sheet1.xml at zip
md5: bb64e95887281c8d5ab905f94f4bdae6
sha1: cd6c6639ecce9de8516d9ef59590d3c8720d3257
sha256: 4a42f3733ea9b86bce6f639ea556377eeee2930a111783194e10b70f7c36a2ea