Cryptam // document analysis



Sample Details

original filename: ebf79329362de515b69801917661301d.1

size: 1053036 bytes
submitted: 2018-02-09 18:32:51
md5: ebf79329362de515b69801917661301d
sha1: 4b38427b2c24e9b7723397dc6f9a24f69cf4e0d9
sha256: f9fedc98ae1dde10f8628c8111627e23f2c932df82383f08cdfd422eb0a5025a
ssdeep: 6144:XdNNeIdNNeIdNNeA0Og9hNlFB6Dtui+RD37UW5uM62qJq/+3AWmnHI:Xbzbzb1Dg/xB6Dtui+RDgWTqJqTno
content/type: data
analysis time: 59.82 s
result: malware [85]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file datastore-145 6d54020de5e555b5389b578f782cd2c5
datastore-145.embedded.file activeX37.xml 93d2b180df5ec8102767e9e19d2605d8
datastore-145.activeX37.xml.21: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-145.embedded.file activeX1.bin f7971aa425ee0c86bb9464ef5900533e
embedded.file datastore-129366 6d54020de5e555b5389b578f782cd2c5
datastore-129366.embedded.file activeX37.xml 93d2b180df5ec8102767e9e19d2605d8
datastore-129366.activeX37.xml.21: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-129366.embedded.file activeX1.bin f7971aa425ee0c86bb9464ef5900533e
embedded.file datastore-258587 a64c34b21bc3423dbb0e8d4d228bfcee
datastore-258587.embedded.file activeX37.xml 93d2b180df5ec8102767e9e19d2605d8
datastore-258587.activeX37.xml.21: exploit.office MSCOMCTL.OCX TabStrip CVE-2012-1856 classid
datastore-258587.embedded.file activeX1.bin f7971aa425ee0c86bb9464ef5900533e
1419: obfuscation.office RTF embedded Word Document
414131: string.This program cannot be run in DOS mode
427437: string.shell32.dll
dropped.file exe 02345a93d3b6e1aa9bc08bd31aafc93e / 638983 bytes / @ 414053


Cryptanalysis


key length: 4 bytes
key:

occurrences in file: 1404
entropy: 100.00%


Strings

raw strings
decrypted raw strings

Dropped Files

activeX37.xml at oxml
md5: 93d2b180df5ec8102767e9e19d2605d8
sha1: a4653e3b23480c14c3cfcd316d1d83481c135a0f
sha256: ab1a8144ffbd4f2403149e37ed31e49837ec9c8e792e1206035753fb976ddc3d
view strings

activeX1.bin at oxml
md5: f7971aa425ee0c86bb9464ef5900533e
sha1: 4bbc4f4ee3401c0776a0f7c76beb449ea0bdf273
sha256: a8faba39bebaf948e3aa88725a78fd8fb7bdf6d66c95481ef80e327de94bd050
view strings

datastore-258587 at rtf
md5: a64c34b21bc3423dbb0e8d4d228bfcee
sha1: 8d185fb1144b099889a13556c11c03afa3a86f42
sha256: ef30b2192e1913059236f0bd16ec8663c5eb02de792ba1e956c252e35f0e5ce3
view strings

exe at 414053
md5: 02345a93d3b6e1aa9bc08bd31aafc93e
sha1: b9195ef3ad327714ba3895a1626d0b5129380f11
sha256: 68139ae8ac7c1e305ed06e06a5abb702a6bc636cb9782b39e867fd45cf1ce8c8
view strings