Cryptam // document analysis


Sample Details

original filename: 1532\xcd\xb3\xd2\xbb\xcf\xa2.xls

size: 2169344 bytes
submitted: 2017-04-16 10:12:02
md5: 120ab55c5a4f853ef10c87e12b350716
sha1: fb4ed3e7f1a70b045d740ce2a0dafab8e8bb97ea
sha256: efa8a938024f4a6a82ee5dcdac2db74b7118791af0194c52ec0c415ca7db3a52
ssdeep: 24576:6BBicROidyXVDt/EfnXPZFxCovAL/X7W:6BXRJdU76n/w/X7
content/type: Composite Document File V2 Document, Little Endian, Os
analysis time: 4.72 s
result: malware [72]
embedded executable: found

signature hits:

2121568: exploit.office embedded Visual Basic write to file Scripting.FileSystemObject
2122152: exploit.office embedded Visual Basic execute shell command Wscript.Shell
2128645: exploit.office embedded Visual Basic accessing file OpenTextFile
2158302: suspicious.office Visual Basic macro
2118858: string.vbs On Error Resume Next
dropped.file vbs e72ef694a8daf1f82d256d67a1734bd4 / 19998 bytes / @ 2125258
dropped.file vbs a1a218be1c6f3b24796370003bc78c3a / 24088 bytes / @ 2145256


Strings

raw strings
decrypted raw strings

Dropped Files

vbs at 2125258
md5: e72ef694a8daf1f82d256d67a1734bd4
sha1: 7af3de522c7fb5fbffcce5efcdb2e88807f9c10e
sha256: cfc7b66486e3ffac0eeaa543f67e5bac8d97a65d2f24c0fc9049fcb075bbee6c
view strings

vbs at 2145256
md5: a1a218be1c6f3b24796370003bc78c3a
sha1: ecde8472218994b96a923bed4d754c06f31e2bf9
sha256: 904bad502044ab587434f33f418989eca107d0a3ffc8d22eb9918ba2b63b6712
view strings