Cryptam // document analysis



Sample Details

original filename: 72ef805a7be6f2e17a43de9add0ef06d.virus

size: 156685 bytes
submitted: 2017-06-14 07:36:54
md5: 72ef805a7be6f2e17a43de9add0ef06d
sha1: 3cf6edfb5c64f08f85e97d62eff63e158f513d0b
sha256: a8ac4c81ff5264b9616002ae926be9463e8f907c2993f8a182b798d00c93c8a7
ssdeep: 3072:Y84pq6LMXP3w1hedJjFjdQhHt5eMFEEJ/uRiAAH1Ca:k5Q3HFShN8MGdiP/
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 12.15 s
result: malware [82]
embedded executable: found

signature hits:

2563: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
2571: exploit.office MSCOMCTL.OCX Toolbar MS12-060
20946: suspicious.office Visual Basic macro
28750: string.This program cannot be run in DOS mode
32706: string.GetProcAddress
33920: string.CloseHandle
32982: string.KERNEL32
dropped.file exe 5a05dd2b2ee7c5718bbb87fd801ab416 / 6776 bytes / @ 28672
dropped.file exe 439c2611e4f6ebb27f9acad90e0abdb1 / 8776 bytes / @ 35448
dropped.file exe c95fe0754de68674775923504973cdda / 33720 bytes / @ 44224
dropped.file exe c26563819734dba7ec66bfee1beb6cdd / 11688 bytes / @ 77944
dropped.file exe c9f19987025dba068a19b5a36e947d9b / 36320 bytes / @ 89632
dropped.file doc 09ff660dc9ffa7a1bf14e2d69ab78e93 / 30733 bytes / @ 125952


Cryptanalysis


key length: 32 bytes
key:

occurrences in file: 825
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 28672
md5: 5a05dd2b2ee7c5718bbb87fd801ab416
sha1: d7a93d32be323f946848c3426652e9dc2fdd07ab
sha256: 540c88e32c1d952bcf9773acddbc76a9e304fef4d65f5b80e170209f8c5ccda2
view strings

exe at 35448
md5: 439c2611e4f6ebb27f9acad90e0abdb1
sha1: acc53918bddc87d12645b2b073c490bf5a8db028
sha256: 1c403a06999930a924e4897d1e5c0541618b47f9971baf76a467e6e7756f22ad
view strings

exe at 44224
md5: c95fe0754de68674775923504973cdda
sha1: d268c7303813d7df6bb4f435402347e6f9d61e1c
sha256: a4835dacff466b224325c2ff342eaa08bbaef41e5f9509f6c3abba0c478f5b3e
view strings

exe at 77944
md5: c26563819734dba7ec66bfee1beb6cdd
sha1: 4b38f1b5ce446ff9a8d426be343baa6d31bc6d6b
sha256: 302997afd970513a45954c32d0025df57c8a056a996c1669903636733b038667
view strings

exe at 89632
md5: c9f19987025dba068a19b5a36e947d9b
sha1: a37997e9d4dce52753b4ab59e581e54004d0a413
sha256: 8b13c843025b5c907f9c49131236abf22e5e82dd49adf46c277c09b191524ade
view strings

doc at 125952
md5: 09ff660dc9ffa7a1bf14e2d69ab78e93
sha1: c9a4e4c2ca1987342813a48fae77290a6d97c947
sha256: d2cfb5e329721e2b62d3d09ddcdeb3f1eea0b5722eb102a753b6d3f300d6861d
view strings