The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in pefile.py. Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.
read more.....http://blog.malwaretracker.com/2014/04/cryptam-malware-document-analizer.html
read more.....http://blog.malwaretracker.com/2014/04/cryptam-malware-document-analizer.html