Cryptam // document analysis


Sample Details

original filename: a7a2036f1d0c10bfbfd9a6f1224e2eaec9c9a437e1ed9433d5e2c75373d33316

size: 580608 bytes
submitted: 2013-05-15 06:40:22
md5: 3de314089db35af9baaeefc598f09b23
sha1: eab27aab651c5c45224c083a8b57488355ce40e3
sha256: a7a2036f1d0c10bfbfd9a6f1224e2eaec9c9a437e1ed9433d5e2c75373d33316
ssdeep: 3072:U63uoOQiRNfzaR8Yun8ZzTVedcnR6BY2LT+MAAKxrYzaR8Yun8ZzTVedcn9VWMe:U6ezzaRLaod0Y2LTpAazaRLaodDVh
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 10.70 s
result: malware [128]
embedded executable: found

signature hits:

53760: suspicious.flash FWS flash in MS Office document
4808: suspicious.flash flash control in MS Office document
547955: flash.exploit CVE-2013-0634 memory corruption
569298: suspicious.office Visual Basic macro
54400: string.This program cannot be run in DOS mode
88254: string.LoadLibraryA
96752: string.GetModuleHandleA
87418: string.GetCommandLineA
96816: string.GetSystemMetrics
87574: string.GetProcAddress
87316: string.CreateProcessA
88148: string.EnterCriticalSection
87352: string.CloseHandle
87260: string.CreateFileA
87380: string.KERNEL32
81881: string.ExitProcess
dropped.file exe bd19e2f953096a251a3b0f6744cbe7de / 37456 bytes / @ 54322
dropped.file exe 432dce23d00694b103dd838144253d1b / 209852 bytes / @ 91778
dropped.file exe 0bb90855eba25441ab3bd2c6b4cf0dec / 37408 bytes / @ 301630
dropped.file exe e7c326f7cc20783ffc564d6e91f0457b / 241570 bytes / @ 339038


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 54322
md5: bd19e2f953096a251a3b0f6744cbe7de
sha1: c3d92ecca11a47b824dfb4316fcdabe8330c7760
sha256: c69e4f22fd7c4727225ad25f7c4356cc45514b5611ca9c80eed90ed55b1f07a8
view strings

exe at 91778
md5: 432dce23d00694b103dd838144253d1b
sha1: 1b5338ce7c9ddea5aa6eb8fe60cfc2eb9cc440f4
sha256: 28b726fb77a5981330cfd9f3667a6e12e0e6381d859f7f2eff7a3bccc3397f17
view strings

exe at 301630
md5: 0bb90855eba25441ab3bd2c6b4cf0dec
sha1: b4b80d15814931708767a8120202075bea0b31b7
sha256: a43d2be3489fba7cab1aa31c9a4fcbabd90d863b24a0065bb4379809ad68d27f
view strings

exe at 339038
md5: e7c326f7cc20783ffc564d6e91f0457b
sha1: 9254a3cd39dbf82c12f7ff89f69736f4e91b47d2
sha256: 16323cd569e0eadd4ea2a2eeb891516ac295c35fdd5247b64aa08792572c8227
view strings