Cryptam // document analysis



Sample Details

original filename: eb87cf5a3988dcc922bd000aba7cd635.1

size: 825686 bytes
submitted: 2018-02-09 18:45:26
md5: eb87cf5a3988dcc922bd000aba7cd635
sha1: 0e47f48e6e3364c100489e131f013ff227dd4936
sha256: 8e6d8dd4cbac3beadb96d3a739ec7113537842c9088af43cbedd9780108523a3
ssdeep: 24576:rJK5C1V5kQFJXF4Z642tb5mH2ZqLug4c9:hJXyYd95mYqLz4c9
content/type: data
analysis time: 53.44 s
result: malware [280]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-124 a996f9b85dff0d28f2111e4d6e09da88
datastore-124.embedded.file activeX37.xml 697982b692868d0fd05910954e0e971a
datastore-124.activeX37.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-124.activeX37.xml.56: suspicious.office activeX
datastore-124.embedded.file activeX1.bin 23cc315702179b8552b702892e433801
embedded.file datastore-98542 428dbcbf0b2e5b6f5efce544236a03d6
datastore-98542.embedded.file document.xml 254ccbc792e77ed08b4d76727ad63907
datastore-98542.document.xml.43717: exploit.office SmartTag element parsing CVE-2015-1641
datastore-98542.document.xml.44050: exploit.office SmartTag element parsing CVE-2015-1641
embedded.file datastore-161120 42489e79720c4deb398eca92c201b2ca
datastore-161120.embedded.file activeX37.xml 697982b692868d0fd05910954e0e971a
datastore-161120.activeX37.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-161120.activeX37.xml.56: suspicious.office activeX
datastore-161120.embedded.file activeX39.xml aa410ab76f7122c2a17c5f8645d47d40
datastore-161120.activeX39.xml.77: exploit.office Sandbox Overflow class id CVE-2015-1770
datastore-161120.activeX39.xml.56: suspicious.office activeX
datastore-161120.embedded.file ActiveX1.bin 4361d776a59566a0aaa5ba48db11f7a3
198: obfuscation.office RTF embedded Word Document
271596: string.This program cannot be run in DOS mode
770808: string.LoadLibraryA
770464: string.GetModuleHandleA
771788: string.GetCommandLineA
742502: string.GetSystemMetrics
770420: string.GetProcAddress
770698: string.CreateProcessA
771536: string.GetEnvironmentVariableA
770684: string.CloseHandle
771264: string.CreateFileA
767154: string.RegDeleteKeyA
742822: string.user32.dll
752262: string.shell32.dll
763618: string.KERNEL32
763277: string.ExitProcess
769114: string.GetMessageA
768498: string.CreateWindowExA
dropped.file exe c7bfeea70d0b32c3de12425a05755352 / 471500 bytes / @ 271518
dropped.file rtf b8757153161150ffe550266c7dd7179f / 82668 bytes / @ 743018


Cryptanalysis


key length: 4 bytes
key:

occurrences in file: 113
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

activeX37.xml at oxml
md5: 697982b692868d0fd05910954e0e971a
sha1: a86a5e7a04472429853fc8e7cb527068d81a1493
sha256: 5923857ab213b3b29348babfea4bf9590c4a3b193395eb0897d3934d4d29b158
view strings

activeX39.xml at oxml
md5: aa410ab76f7122c2a17c5f8645d47d40
sha1: ef34618fe02db69e3a00b93142102e78e6a4f93f
sha256: 6514a03cde437a6f747d0b698cb8f23fba70914d992e8d0bd1990dfb84d3dbc0
view strings

ActiveX1.bin at oxml
md5: 4361d776a59566a0aaa5ba48db11f7a3
sha1: 317a215e3ba4b7b4ffbc7c31aa4e165b733031d9
sha256: e57c83fab935d0d1310201cd5699e62f468b4fd49b31f651481f8f1ac11eb1d6
view strings

datastore-161120 at rtf
md5: 42489e79720c4deb398eca92c201b2ca
sha1: b84431687908fc933a53fe5fe08144b88d3a3a10
sha256: d6a3eb90ad4e15c72e447acca2a39854dea3d5c6e30f85f0d644a9111e48347b
view strings

exe at 271518
md5: c7bfeea70d0b32c3de12425a05755352
sha1: 31339f957ebf77b221bb7a244da24f9e83d9bd99
sha256: 6cd7c836f3bd1b1857283c5dce24ba16b5d169585085c75e20c70b1b2a4b5f9b
view strings

rtf at 743018
md5: b8757153161150ffe550266c7dd7179f
sha1: 44e2d2ccb8d6b877dbdebb8b2989a6d8c9dc71f9
sha256: de629be8116f19e77257499abc1fc74b5f3faea2343b4bd6e3364189fa2bfa43
view strings