Cryptam // document analysis


Sample Details

original filename: PrizmPay.xlsm

size: 3496760 bytes
submitted: 2017-10-07 22:10:46
md5: 8135d54afb87f58f62e1f0fa448920af
sha1: 167cab0a7c99e0596eb77808bf4aeb757c79abf7
sha256: b13beba69fc5168ec4ad9b4068d69c9ad6e309da333850fe7f608f799f36c2af
ssdeep: 98304:5jD2krD/oQn7xWMd75vpqap526IwKogSYBjYL4:hP/oQn7bV5RPQzSucM
content/type: Microsoft Excel 2007+
analysis time: 0.00 s
result: malware [90]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file vbaProject.bin dcfd8fe0adf31356774b468d23f2ec32
vbaProject.bin.11636: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
vbaProject.bin.672019: exploit.office embedded Visual Basic execute shell command Wscript.Shell
vbaProject.bin.3725370: string.shell32.dll
vbaProject.bin.2059475: string.vbs On Error Resume Next
vbaProject.bin.2100909: string.vbs CreateObject
embedded.file activeX19.xml d1c3dbe7433cb4657499e588a1d41a0b
activeX19.xml.77: exploit.office MSO MSCOMCTL.OCX RCE CVE-2012-0158 I


Strings

raw strings

Dropped Files

vbaProject.bin at zip
md5: dcfd8fe0adf31356774b468d23f2ec32
sha1: 38db4f96a4fd55f4233fd549a45452fea0c3b191
sha256: d9306ae4ff7c5c7515d0a17ca8997bdaae39feff728f3f3124a1bcd5a459c66a
view strings

activeX19.xml at zip
md5: d1c3dbe7433cb4657499e588a1d41a0b
sha1: d0f390e132f08e7bd4903f16eab195902791e1de
sha256: 918637316990a4806903f170ad82aff51f828b7ac613ab5014c118a83b019fe1
view strings