Cryptam // document analysis



Sample Details

original filename: ea648face6d442d1eb8f8dc45e6150d4.1

size: 484561 bytes
submitted: 2018-02-09 18:44:32
md5: ea648face6d442d1eb8f8dc45e6150d4
sha1: 04c53e1aabf090fccb8981aa34b4f8acc837c120
sha256: e957a728811f31bcf6a6c7d2ca18e951a5d2ca1f8c24d8c831c54a49bdc8f050
ssdeep: 6144:4OzJK5/a1V9thWvx1epq/5LEaAMc/uKnxvF7suO8sUyT+EKO09cgGUyafRUPn5uT:4SK5C1V9va1epu5QaBUxtYuW90O8T
content/type: Rich Text Format data, version 1, ANSI
analysis time: 51.23 s
result: malware [120]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-124 a996f9b85dff0d28f2111e4d6e09da88
datastore-124.embedded.file activeX37.xml 697982b692868d0fd05910954e0e971a
datastore-124.activeX37.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-124.activeX37.xml.56: suspicious.office activeX
datastore-124.embedded.file activeX1.bin 23cc315702179b8552b702892e433801
embedded.file datastore-98542 428dbcbf0b2e5b6f5efce544236a03d6
datastore-98542.embedded.file document.xml 254ccbc792e77ed08b4d76727ad63907
datastore-98542.document.xml.43717: exploit.office SmartTag element parsing CVE-2015-1641
datastore-98542.document.xml.44050: exploit.office SmartTag element parsing CVE-2015-1641
embedded.file datastore-161120 42489e79720c4deb398eca92c201b2ca
datastore-161120.embedded.file activeX37.xml 697982b692868d0fd05910954e0e971a
datastore-161120.activeX37.xml.77: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-161120.activeX37.xml.56: suspicious.office activeX
datastore-161120.embedded.file activeX39.xml aa410ab76f7122c2a17c5f8645d47d40
datastore-161120.activeX39.xml.77: exploit.office Sandbox Overflow class id CVE-2015-1770
datastore-161120.activeX39.xml.56: suspicious.office activeX
datastore-161120.embedded.file ActiveX1.bin 4361d776a59566a0aaa5ba48db11f7a3
287: obfuscation.office RTF embedded Word Document
271631: string.This program cannot be run in DOS mode
dropped.file exe 2a87f3e8f3c0d2dc02aa92d35cf21b68 / 213008 bytes / @ 271553


Cryptanalysis


key length: 4 bytes
key:

occurrences in file: 6
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

activeX37.xml at oxml
md5: 697982b692868d0fd05910954e0e971a
sha1: a86a5e7a04472429853fc8e7cb527068d81a1493
sha256: 5923857ab213b3b29348babfea4bf9590c4a3b193395eb0897d3934d4d29b158
view strings

activeX39.xml at oxml
md5: aa410ab76f7122c2a17c5f8645d47d40
sha1: ef34618fe02db69e3a00b93142102e78e6a4f93f
sha256: 6514a03cde437a6f747d0b698cb8f23fba70914d992e8d0bd1990dfb84d3dbc0
view strings

ActiveX1.bin at oxml
md5: 4361d776a59566a0aaa5ba48db11f7a3
sha1: 317a215e3ba4b7b4ffbc7c31aa4e165b733031d9
sha256: e57c83fab935d0d1310201cd5699e62f468b4fd49b31f651481f8f1ac11eb1d6
view strings

datastore-161120 at rtf
md5: 42489e79720c4deb398eca92c201b2ca
sha1: b84431687908fc933a53fe5fe08144b88d3a3a10
sha256: d6a3eb90ad4e15c72e447acca2a39854dea3d5c6e30f85f0d644a9111e48347b
view strings

exe at 271553
md5: 2a87f3e8f3c0d2dc02aa92d35cf21b68
sha1: e0fbe2a66487c821b7cb5e3501e21a9f9eedb339
sha256: 03e6f7b222b5c0bd162df5a064f078f3aa68eb5f79c9e5ad18704074beca764f
view strings