Cryptam // document analysis


Sample Details

original filename: fax.doc

size: 207360 bytes
submitted: 2017-10-07 20:12:15
md5: faeb4a6b936ff92b824cb2d8dd56d5a5
sha1: 9c7005de411550e9f160b2d93ffa277163c66cd7
sha256: b4f4b0e0df2b95cc6a7fe2a94341a69162305bd1149f257c85fe5e8a599b46b8
ssdeep: 3072:nVIfoAHKSOgwfTJO0eMrSTrFcyX68HLW5Za7ui9GU/3:nVIfoALOgeJeESTpcP8HLua7
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 53.97 s
result: malware [144]
embedded executable: found

signature hits:

188950: suspicious.office Visual Basic macro
17488: suspicious.office Packager ClassID used by CVE-2014-6352 C
205347: exploit.office VB Macro auto execute
20129: string.This program cannot be run in DOS mode
156671: string.LoadLibraryA
156687: string.GetModuleHandleA
158039: string.GetCommandLineA
156855: string.GetSystemMetrics
156653: string.GetProcAddress
158449: string.EnterCriticalSection
156731: string.CloseHandle
159117: string.CreateFileA
145647: string.KERNEL32
95086: string.ExitProcess
157015: string.CreateWindowExA
dropped.file exe 5e78f07410d4ad4eff8bc8b78a839c7b / 187309 bytes / @ 20051


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 20051
md5: 5e78f07410d4ad4eff8bc8b78a839c7b
sha1: 178814c5ecfc1f2d0859e2f58e01322589c8a822
sha256: 59e8e72c8185209d0df952aedf0d7b8db9cf0436c26be8e32cc4baf14f5cdedf
view strings