Cryptam // document analysis



Sample Details

original filename: b6b6e1d2fecf4ba057eef3859ccbe969.virus

size: 156737 bytes
submitted: 2018-02-08 17:50:01
md5: b6b6e1d2fecf4ba057eef3859ccbe969
sha1: 415899d7e04876a9342b595322800b5b741f219c
sha256: d3055f1127434397a4cc3eb7821fc413eb279ca60f43c87c430f51c57843849b
ssdeep: 3072:Y84pq6LMXP3w1hedJjFjdQhHt5eMFEEJ/uRiAAH1C7:k5Q3HFShN8MGdiPO
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 2.63 s
result: malware [82]
embedded executable: found

signature hits:

2563: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
2571: exploit.office MSCOMCTL.OCX Toolbar MS12-060
20946: suspicious.office Visual Basic macro
28750: string.This program cannot be run in DOS mode
32706: string.GetProcAddress
33920: string.CloseHandle
32982: string.KERNEL32
dropped.file exe 5a05dd2b2ee7c5718bbb87fd801ab416 / 6776 bytes / @ 28672
dropped.file exe 439c2611e4f6ebb27f9acad90e0abdb1 / 8776 bytes / @ 35448
dropped.file exe c95fe0754de68674775923504973cdda / 33720 bytes / @ 44224
dropped.file exe c26563819734dba7ec66bfee1beb6cdd / 11688 bytes / @ 77944
dropped.file exe c9f19987025dba068a19b5a36e947d9b / 36320 bytes / @ 89632
dropped.file doc e20e6d7075f7067e74214b4d4ce1f2cf / 30785 bytes / @ 125952


Cryptanalysis


key length: 32 bytes
key:

occurrences in file: 825
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 28672
md5: 5a05dd2b2ee7c5718bbb87fd801ab416
sha1: d7a93d32be323f946848c3426652e9dc2fdd07ab
sha256: 540c88e32c1d952bcf9773acddbc76a9e304fef4d65f5b80e170209f8c5ccda2
view strings

exe at 35448
md5: 439c2611e4f6ebb27f9acad90e0abdb1
sha1: acc53918bddc87d12645b2b073c490bf5a8db028
sha256: 1c403a06999930a924e4897d1e5c0541618b47f9971baf76a467e6e7756f22ad
view strings

exe at 44224
md5: c95fe0754de68674775923504973cdda
sha1: d268c7303813d7df6bb4f435402347e6f9d61e1c
sha256: a4835dacff466b224325c2ff342eaa08bbaef41e5f9509f6c3abba0c478f5b3e
view strings

exe at 77944
md5: c26563819734dba7ec66bfee1beb6cdd
sha1: 4b38f1b5ce446ff9a8d426be343baa6d31bc6d6b
sha256: 302997afd970513a45954c32d0025df57c8a056a996c1669903636733b038667
view strings

exe at 89632
md5: c9f19987025dba068a19b5a36e947d9b
sha1: a37997e9d4dce52753b4ab59e581e54004d0a413
sha256: 8b13c843025b5c907f9c49131236abf22e5e82dd49adf46c277c09b191524ade
view strings

doc at 125952
md5: e20e6d7075f7067e74214b4d4ce1f2cf
sha1: 4f12070ea470e5b2b638d6c4fa1d7cd8f16f48e7
sha256: 8527d93a5d3f3fe0e245ac5d4e7cf00bf9a20c259e2dcd725c7b01f1a0b1422f
view strings