Cryptam // document analysis


Sample Details

original filename: 909e505bda772da1323c1406b713e01814af0a4dfce5ac6dbdfc812f20056734f22143419ef651e8256a5e3246cf157fc9c4714bd0653967f3a9031e87d08706

size: 118272 bytes
submitted: 2017-04-16 10:43:18
md5: 1a9537b8bb6d45a02874e923a18a5281
sha1: 0fffcc80966ea2c081d67f5d913cafeadb7ad7cb
sha256: b3d747abfb6d00a75d19d62a0f18cb57c13539c68fd1839bf72a76633bf0a686
ssdeep: 1536:aqIII8AKGncNGNsi9zC5BqFSnRIkkRwk8kWG0gMVmYqBmN5L0zZGNm9Gk5OrWVbf:amq9AWVbrzu67ITkl5ceyJUJ
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 1.11 s
result: malware [72]
embedded executable: found

signature hits:

70006: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
70590: exploit.office embedded Visual Basic execute shell command Wscript.Shell
77099: exploit.office embedded Visual Basic accessing file OpenTextFile
105170: suspicious.office Visual Basic macro
67296: string.vbs On Error Resume Next
dropped.file vbs 86242820688b22ba6725302b84b3c9b3 / 20131 bytes / @ 73704
dropped.file vbs af55191502d60acba4b0b8c869bd97d5 / 24437 bytes / @ 93835


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 73704
md5: 86242820688b22ba6725302b84b3c9b3
sha1: 05c47ba70d318be2c429a4e3effb36e22add26f3
sha256: 8b7c7a0e1495f340a366ce3301255b2b1a5eafbeecaba47b32f44961963a42d2
view strings

vbs at 93835
md5: af55191502d60acba4b0b8c869bd97d5
sha1: 6a7e83050d2837c4bcc3efc2c4c37d3c33c7e46f
sha256: 9b663bc01a01455eaff1df21d669032a0ef5646eb9ffa322023f5a874d60f7ad
view strings