Cryptam // document analysis


Sample Details

original filename: 3bccc98fb6b2dd6d136756a9fdd7de1cd97c93716c314a4fe24a1cca7cee49c63481aeb5e881205a0a6ebabfea5ef56230e24aef5abca408d06c739f3a4f4a63

size: 97280 bytes
submitted: 2017-04-16 10:44:23
md5: 9abc2fe617a0078ef91814cd3d2e8ca2
sha1: b8d0063adb2992b13b62ba00765503b49a50c633
sha256: abfa706ff008b773a98fbaa9ccb8bd42ace03458c29dac5a2afc29c48678200f
ssdeep: 1536:kSSS44gSSgAE0MVnLziCdymRxoiKTxp1gxv7yZmspH7+cclKiEZClsQ6NqTBun5w:wp1gxv7yZmspH7+cclKisQ6NqTBun5oZ
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 1.29 s
result: malware [72]
embedded executable: found

signature hits:

51550: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
52134: exploit.office embedded Visual Basic execute shell command Wscript.Shell
58643: exploit.office embedded Visual Basic accessing file OpenTextFile
87308: suspicious.office Visual Basic macro
48328: string.vbs On Error Resume Next
dropped.file vbs d57f68b34ed7534b1017fed7ae16f210 / 20131 bytes / @ 55248
dropped.file vbs 02fd5bcee4e01cd07fa03540a9b4ca4f / 21901 bytes / @ 75379


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 55248
md5: d57f68b34ed7534b1017fed7ae16f210
sha1: bb08cf9a5ed925272fdd8a0c03468fd44cebfc0d
sha256: 6c55f4b28be7cab9f9bf0de9a833a293d144dfdf0b4aca7e5aa398d654809b09
view strings

vbs at 75379
md5: 02fd5bcee4e01cd07fa03540a9b4ca4f
sha1: 0c7acf94ba3d3b4ec6f6f7dd021bbcc0510c0e66
sha256: 2bf8e243c2fd0ae6ebebc056ddb8f53e767baac0b0eaec7b3bc2064773e8732e
view strings