Cryptam // document analysis



Sample Details

original filename: 59748661c83b514c0c41e5665e64880a.virus

size: 156736 bytes
submitted: 2017-08-08 10:06:04
md5: 59748661c83b514c0c41e5665e64880a
sha1: 2d086aaa3b119946d01d77ba704a12cad2f16d5c
sha256: e3213f8965b8bf1f06ac5b4dd6a95e9a2e7a46b6024ecf952290793c8e1b7887
ssdeep: 3072:Y84pq6LMXP3w1hedJjFjdQhHt5eMFEEJ/uRiAAH1CE:k5Q3HFShN8MGdiPz
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 18.89 s
result: malware [82]
embedded executable: found

signature hits:

2563: exploit.office MSCOMCTL.OCX Toolbar MS12-060 A
2571: exploit.office MSCOMCTL.OCX Toolbar MS12-060
20946: suspicious.office Visual Basic macro
28750: string.This program cannot be run in DOS mode
32706: string.GetProcAddress
33920: string.CloseHandle
32982: string.KERNEL32
dropped.file exe 5a05dd2b2ee7c5718bbb87fd801ab416 / 6776 bytes / @ 28672
dropped.file exe 439c2611e4f6ebb27f9acad90e0abdb1 / 8776 bytes / @ 35448
dropped.file exe c95fe0754de68674775923504973cdda / 33720 bytes / @ 44224
dropped.file exe c26563819734dba7ec66bfee1beb6cdd / 11688 bytes / @ 77944
dropped.file exe c9f19987025dba068a19b5a36e947d9b / 36320 bytes / @ 89632
dropped.file doc 21f308e2bdde175b7f6b235fcd358349 / 30784 bytes / @ 125952


Cryptanalysis


key length: 32 bytes
key:

occurrences in file: 825
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

exe at 28672
md5: 5a05dd2b2ee7c5718bbb87fd801ab416
sha1: d7a93d32be323f946848c3426652e9dc2fdd07ab
sha256: 540c88e32c1d952bcf9773acddbc76a9e304fef4d65f5b80e170209f8c5ccda2
view strings

exe at 35448
md5: 439c2611e4f6ebb27f9acad90e0abdb1
sha1: acc53918bddc87d12645b2b073c490bf5a8db028
sha256: 1c403a06999930a924e4897d1e5c0541618b47f9971baf76a467e6e7756f22ad
view strings

exe at 44224
md5: c95fe0754de68674775923504973cdda
sha1: d268c7303813d7df6bb4f435402347e6f9d61e1c
sha256: a4835dacff466b224325c2ff342eaa08bbaef41e5f9509f6c3abba0c478f5b3e
view strings

exe at 77944
md5: c26563819734dba7ec66bfee1beb6cdd
sha1: 4b38f1b5ce446ff9a8d426be343baa6d31bc6d6b
sha256: 302997afd970513a45954c32d0025df57c8a056a996c1669903636733b038667
view strings

exe at 89632
md5: c9f19987025dba068a19b5a36e947d9b
sha1: a37997e9d4dce52753b4ab59e581e54004d0a413
sha256: 8b13c843025b5c907f9c49131236abf22e5e82dd49adf46c277c09b191524ade
view strings

doc at 125952
md5: 21f308e2bdde175b7f6b235fcd358349
sha1: 1b3ba9fd6bfe0ace8c74c2dbdf31e661e0c40702
sha256: 400686373d8e081c5f9a85fb8c9148233a1a020c9f034c21af31e68f0b9663ef
view strings