Cryptam // document analysis



Sample Details

original filename: hello_evil.doc

size: 899550 bytes
submitted: 2017-03-15 17:42:02
md5: 5140386630f903910274be9ea472773a
sha1: f8f5886c771f094132ee62e000560785e69e410e
sha256: a0ade9f59f6390d27c20fb1cd71c59dd9e958e406521ae68818ab7dbf39e0753
ssdeep: 24576:libf09jkwJx1aqLnBZ30tzT1Fz5PkUtGgLEngiqedM9rYhili:lCf0dXx1aqLnBZ3kzxHkU4gLEngiqedA
content/type: data
analysis time: 26.36 s
result: malware [200]
embedded executable: found

signature hits:

63850: exploit.office RTF memory corruption listoverridecount CVE-2012-2539 CVE-2014-1761
182866: string.This program cannot be run in DOS mode
838590: string.LoadLibraryA
838370: string.GetModuleHandleA
840276: string.GetCommandLineA
787060: string.GetSystemMetrics
838214: string.GetProcAddress
838280: string.CreateProcessA
839822: string.EnterCriticalSection
839304: string.GetEnvironmentVariableA
838250: string.CloseHandle
839016: string.CreateFileA
834948: string.RegDeleteKeyA
788576: string.user32.dll
797704: string.shell32.dll
839628: string.KERNEL32
813155: string.ExitProcess
836712: string.GetMessageA
836160: string.CreateWindowExA
dropped.file exe 0b5152bf4a899278cda520381c791fb2 / 606008 bytes / @ 182788
dropped.file rtf 1436020df292d3537726b834c5e26943 / 110754 bytes / @ 788796


Cryptanalysis


key length: 4 bytes
key:

entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 182788
md5: 0b5152bf4a899278cda520381c791fb2
sha1: d62270b12e51f441b6ac270364c55fe5ea248386
sha256: 5476f4b9c49a59247a86dbc0e11bc12b63aaab3b23acaedf0a89c2b47f276fc9
view strings

rtf at 788796
md5: 1436020df292d3537726b834c5e26943
sha1: 45ab563331fad4f7e1e699d8c50f49560136eac9
sha256: baf8129986d5bdd43267d85e5fd7a90539db1b94fc5f92094833c0e5675a393b
view strings