Cryptam // document analysis



Sample Details

original filename: a2d9db0a3e99d0edb628cae4de44de38d1b9e4af4c38aae59a2929d1189dc6b9

size: 785952 bytes
submitted: 2014-04-05 23:20:07
md5: a6c267467c1f6c176530c15f18f55982
sha1: 9325054fce6d85de7340b52330325cdf8b5d8814
sha256: a2d9db0a3e99d0edb628cae4de44de38d1b9e4af4c38aae59a2929d1189dc6b9
ssdeep: 12288:+/ONN6tKF9kWS3itt76Zm743yQkb3RTZX5OEyWbhLro0UrttvNL7D3S:Jr62+pZm77pbBTcco0UrtzL7
content/type: data
analysis time: 662.81 s
result: malware [50]
embedded file objects: yes

signature hits:

embedded.file datastore-10858 316d0bc58e54bcdebcca8cd4e1e60991
datastore-10858.12: suspicious.office MSCOMCTL.OCX ImageComboCtl
datastore-10858.11: suspicious.office OLE MSCOMCTL.OCX ImageComboCtl
datastore-10858.4618: suspicious.office OLE MSCOMCTL.OCX ImageComboCtl wide
10809: suspicious.office RTF MSCOMCTL.OCX ImageComboCtl
10818: suspicious.office MSCOMCTL.OCX ImageComboCtl
6604: exploit.office RTF memory corruption listoverridecount CVE-2012-2539 CVE-2014-1761
6603: exploit.office RTF memory corruption listoverridecount CVE-2014-1761


Yara Tags

SA2953095_CVE_2014_1761_RTF
activex_imagecombo
rtf_unicode_rop
RTF_invalid_levelnumbers
RTF_invalid_leveltext
CVE_2014_1761_RTF_listoverridecount

Strings

raw strings

Dropped Files

datastore-10858 at rtf
md5: 316d0bc58e54bcdebcca8cd4e1e60991
sha1: 919f631e6e46ae9629c2fc48103030a0eea0b418
sha256: 1e86783eab826abe69c84ca3bb4c52def7806fd77ad3fa54e98f0b3b19826c3a
view strings