Analysis Report - Cisco Community5/6/2016 feca4ffca4701fdaa076625269946d71 1/24 Severity: 90 Conﬁdence: 90 Severity: 70

5/6/2016 feca4ffca4701fdaa076625269946d71

https://amptools.cisco.com/report.php?id=feca4ffca4701fdaa076625269946d71 1/24

Severity: 90 Confidence: 90


Analysis ReportID feca4ffca4701fdaa076625269946d71

OS 7601.17514.x86fre.win7sp1_rtm.101119-1850

Started 5/6/16 11:45:38

Ended 5/6/16 11:52:17

Duration 0:06:39

Sandbox phl-work-03 (pilot-d)

Filename e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc

Magic Type Composite Document File V2 - DOC

Analyzed As cdf

SHA256 e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fceSHA1 93ba5346bcd03a3223c7ad6ca1c3fbd2dc2cc0d5MD5 35c2ea75be38d1d1cb902bef11d83993

Behavioral IndicatorsVBA Macro Loads a COM Object

VBA Macro Has Action on Open

Metadata Behavioral Indicators Processes Artifacts Registry Activity File ActivityNetwork Activity

A VBA macro was discovered that loads a COM object. Office files support a modified form of VisualBasic that can

perform operations on a document. In this case, the macro imports a COM object. COM objects can be used to

communicate with other APIs on the system and extend functionality for the parent process. Malware may use this to

import Windows APIs that allow more freedom for exection, such as WMI.

Categories forensics

Tags vba, macro, embedded, com, api

Artifact ID SHA256 Path

11 e5cbeeaec2935cc0008353ea304af53ea243da98d3596

99a634fd1faa62c6fce

⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53ea243da9

8d359699a634fd1faa62c6fce.doc


99a634fd1faa62c6fce

e5cbeeaec2935cc0008353ea304af53ea243da98d3596

99a634fd1faa62c6fce.doc

A VBA macro was discovered that uses a function to perform an action when its parent document is opened. Office

files support a modified form of VisualBasic that can perform operations on a document. In this case, it has hooked a

function that is called when the Office program or document is opened. This is not necessarily malicious. Legitimate

uses include pulling in the latest data from an external source, alerting the user of the last modified time and so on.

Malware uses this as a launch point to execute external programs as soon as the malicious document is opened.

5/6/2016 feca4ffca4701fdaa076625269946d71





Process Modified File in a User Directory

Office Document Contains a VBA Macro

Artifact Flagged by Antivirus

Check the artifact data for further information.


Tags vba, macro, auto, embedded



99a634fd1faa62c6fce




99a634fd1faa62c6fce



Malware will modify files in user directories to hide logs or other evidence. Also, by modifying various files it can disable

functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to

hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view

additional details about this file.

Categories file

Tags executable, file, process

Path Process Name Process ID

⧵Users⧵ADMINI~1⧵AppData⧵Local⧵Temp⧵VBE⧵MSForms.

exd

WINWORD.EXE 1104 (WINWORD.EXE)

A Microsoft Office document was found that contains embedded macros. Office files support a modified form of

VisualBasic that can perform operations on a document. Macros are not necessarily malicious. Legitimate uses include

auto-saving a document, loading the latest data from a remote file and so on. Malware often uses macros as a

springboard, launching other processes when the user opens or closes the document.

Categories file

Tags vba, macro, embedded



99a634fd1faa62c6fce




99a634fd1faa62c6fce



An antivirus engine flagged an artifact as potentially malicious. This may be a false positive as Antivirus programs will

also flag packed or encrypted software with a signature. Please confirm the file is indeed malicious. Checking other

indicators and outbound communications will help to confirm this.


Tags file

Path Antivirus Result

Antivirus

Product Artifact ID

5/6/2016 feca4ffca4701fdaa076625269946d71



Stream: 3 Query: 45542

Stream: 4 Query: 49059

Executable Imported the IsDebuggerPresent Symbol

HTTP Traffic

DNS Traffic

Query Type: *, Query Data: workstationTTL: -Timestamp: +68.657s

Query Type: *, Query Data: workstationTTL: -Timestamp: +71.933s

Path Antivirus Result Product Artifact ID⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc

Doc.Dropper.Agent-1398065

ClamAV 11

e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc

Doc.Dropper.Agent-1398065

ClamAV 40

The IsDebuggerPresent function can be used by a process to check if a debugger has been attached to it, or iscurrently active on the system. Malware authors often check for the presence of a debugger as this is an indication thatthe malware is being analysed. The Malware may not run, or it may function differently, if a debugger is present, tomake it more difficult to reverse-engineer its behavior. This is not an indicator of malicious activity as often legitimateprograms import this function.

Categories forensicsTags process, artifact, static, import, PE

Path Artifact ID448-lsm.exe 17

Query ID 45542Timestamp +68.657sType *Data workstation

Answers

Query ID Timestamp Type Data TTL

Query ID 49059Timestamp +71.933sType *Data workstation

Answers


5/6/2016 feca4ffca4701fdaa076625269946d71


TCP/IP StreamsNetwork Stream: 0

Src. IP 0.0.0.0Src. Port 68Dest. IP 255.255.255.255Dest. Port 67Transport UDPArtifacts 0Packets 3Bytes 1002Timestamp +68.086s

Network Stream: 1 (DHCP)


Network Stream: 2


Network Stream: 3 (DNS)


Network Stream: 4 (DNS)


5/6/2016 feca4ffca4701fdaa076625269946d71



Network Stream: 5


ProcessesName: WINWORD.EXE

PID: 1104Children: 0File Actions: 10Registry Actions: 618Analysis Reason: Is target sample.

Name: winlogon.exe

PID: 388Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.

Name: services.exe


Name: lsass.exe


5/6/2016 feca4ffca4701fdaa076625269946d71


Name: lsm.exe


Name: svchost.exe


Name: svchost.exe


Name: svchost.exe


Name: svchost.exe


Name: svchost.exe


Name: wmiprvse.exe


Name: OSPPSVC.EXE

PID: 912Children: 0File Actions: 0

5/6/2016 feca4ffca4701fdaa076625269946d71


Registry Actions: 0Analysis Reason: Process activity after target sample started.

Name: svchost.exePID: 1008Children: 0File Actions: 0Registry Actions: 0Analysis Reason: Process activity after target sample started.

Name: Explorer.EXEPID: 1160Children: 0File Actions: 0Registry Actions: 1Analysis Reason: Process activity after target sample started.

ArtifactsArtifact 1: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...8CABC5EC36A6B3C7.TMP

Src: diskImports: 0Type: SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560Size: 512Exports: 0AV Sigs: 0MD5: bf619eac0cdf3f68d496ea9344137e8b

Artifact 2: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...8D9CF3849F6D4680.TMPSrc: diskImports: 0Type: SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560Size: 512Exports: 0AV Sigs: 0MD5: bf619eac0cdf3f68d496ea9344137e8b

Artifact 3: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...AA4107F584A03207.TMPSrc: diskImports: 0Type: SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560Size: 512Exports: 0AV Sigs: 0MD5: bf619eac0cdf3f68d496ea9344137e8b

Artifact 4: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Te...1780D88CFBDA0CAD.TMPSrc: disk

5/6/2016 feca4ffca4701fdaa076625269946d71


Imports: 0Type: SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfeSize: 16384Exports: 0AV Sigs: 0MD5: ce338fe6899778aacfc28414f2d9498b

Artifact 5: � ⧵Users⧵Administrator⧵ntuser.dat.LOG1

Src: diskImports: 0Type: MS Windows registry file, NT/2000 or aboveSHA256: 7c9408da03fa57630c1db72c0a1f5fe9df26db49e30781f3785f5ab067c80f5bSize: 262144Exports: 0AV Sigs: 0MD5: f46de1325fca7c39dd79d4af9fe2906e

Artifact 6: � ⧵Windows⧵rescache⧵rc0004⧵ResCache.hit

Src: diskImports: 0Type: dataSHA256: 8e1278c3c633cdc242f95165d5ee25b6794094b0b4c4610c5228f23d1860fdb6Size: 4224Exports: 0AV Sigs: 0MD5: 9a4c29f899626568bb88f0c9e8a4451b

Artifact 7: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Temp⧵VBE⧵MSForms.exd

Src: diskImports: 0Type: dataSHA256: bb4bbe039d58179d23d912bbb2922345973a66cc6dee8f69be6a53017664e03aSize: 147284Exports: 0AV Sigs: 0MD5: 169365d0096a8c63837aa4b2894baed6

Artifact 8: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Mi...B2-DE2176E172F4}.tmp

Src: diskImports: 0Type: SHA256: de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31Size: 65536Exports: 0AV Sigs: 0MD5: fcd6bcb56c1689fcef28b57c22475bad

Artifact 9: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Mi...CE-9518D2BE8E0B}.tmp

Src: diskImports: 0Type: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

5/6/2016 feca4ffca4701fdaa076625269946d71


Related to: artifact 41

Modified by: 1104 (WINWORD.EXE)



Size: 0

Exports: 0

AV Sigs: 0

MD5: d41d8cd98f00b204e9800998ecf8427e

Artifact 10: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Temp⧵CVR494B.tmp.cvrSrc: disk

Imports: 0

Type:

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Size: 0

Exports: 0

AV Sigs: 0

MD5: d41d8cd98f00b204e9800998ecf8427e

Artifact 11: � ⧵TEMP⧵e5cbeeaec2935cc0008353ea304af53...634fd1faa62c6fce.docSrc: disk

Imports: 0

Type: DOC - Composite Document File V2 Document, Little Endian,...

SHA256: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce

Size: 110080

Exports: 0

AV Sigs: 1

MD5: 35c2ea75be38d1d1cb902bef11d83993

Artifact 12: � ⧵Users⧵Administrator⧵AppData⧵Roaming⧵...plates⧵~$Normal.dotmSrc: disk

Imports: 0

Type: DOTX - data

SHA256: 95e3109930d9f672b868d08edcaae494427b9e916dc0e39a05335bedcae07c29

Size: 162

Exports: 0

AV Sigs: 0

MD5: 90ce4d001f66f72d01b76e72d54dd4ff

Artifact 13: � ⧵Users⧵Administrator⧵AppData⧵Roaming⧵...d1faa62c6fce.doc.LNKSrc: disk

Imports: 0

Type: LNK - MS Windows shortcut, Item id list present, Points t...

SHA256: fc0a4d6447d50b2c068cf550df5920e54d96f871504df5f920e79e4fbf301f54

Size: 822

Exports: 0

AV Sigs: 0

MD5: 30be0991d24e79b431de8ceef40f1cb2

Artifact 14: � ⧵Users⧵Administrator⧵AppData⧵Local⧵Mi...1B-5E2E3B2B0184}.tmpSrc: disk

Imports: 0

Type: data

5/6/2016 feca4ffca4701fdaa076625269946d71



Related to: 432 (services.exe)

Related to: 448 (lsm.exe)

SHA256: 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

Size: 1024

Exports: 0

AV Sigs: 0

MD5: 5d4d94ee7e06bbb0af9584119797b23a

Artifact 15: � ⧵Users⧵Administrator⧵AppData⧵Roaming⧵...ice⧵Recent⧵index.datSrc: disk

Imports: 0

Type: data

SHA256: e63ae18c3f5e56219212e1c2d9c0a2272967de9cd62d132079e6530c16ee2db3

Size: 1076

Exports: 0

AV Sigs: 0

MD5: 824742e880e32b80d35e011ef9414473

Artifact 16: � 432-services.exeSrc: memory

Imports: 299

Type: PE - PE32 executable (GUI) Intel 80386, for MS Windows

SHA256: 0a890a122ab8d09e4e48505f8beab9233c25e69c789e04dc858ef29585ea7725

Size: 259072

Exports: 0

AV Sigs: 0

MD5: 003697e1a2120659d51cfe3abcd52ed6

Artifact 17: � 448-lsm.exeSrc: memory

Imports: 245

Type: PE - PE32 executable (console) Intel 80386, for MS Windows

SHA256: 272fb520e9682f2a0a1e6eea43f4dd3edd0e4eb94850655f90001930c2f06bfd

Size: 267776

Exports: 0

AV Sigs: 0

MD5: 44200f2dcbb69fa1baa440a64777b95b

Artifact 18: � executable.1148.exeSrc: memory

Imports: 0


SHA256: 2b7880e8d3af254897b9c4531f917f303d0bbcbcbd85c587b54fc054a6b8b464

Size: 92672

Exports: 0

AV Sigs: 0

MD5: 7a289315e62ebe3094bfffe4cc3a65df


Imports: 0


SHA256: 3202e16f49037d52f938ce2ad100335acc0655e2c264d98bdf5f451efa35e2f9

Size: 96256

5/6/2016 feca4ffca4701fdaa076625269946d71


Related to: 624 (svchost.exe)


Exports: 0AV Sigs: 0MD5: a4d935bcc4a4cb1045b22f74740e6587

Artifact 20: � 624-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 3b224f97bf352fa6406ec72e39d254cc8aa388cf00ba5ae84d14ec6ec6478e48Size: 20992Exports: 0AV Sigs: 0MD5: 92b91920efe0421a2baf44ae2923a49e

Artifact 21: � executable.884.exeSrc: memoryImports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 4b7cfe0aabe9832096dd97ba3bcb07106c3c8eb2ee3018a2f05cb43a95b0f84dSize: 20992Exports: 0AV Sigs: 0MD5: 33501164f9565f7f2b678d61e5edbcc3

Artifact 22: � executable.1976.exeSrc: memoryImports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 50cc1b6dabcb827d2c0d87ed72e84252fcfd056570dfe76cafb16722c99b57edSize: 20992Exports: 0AV Sigs: 0MD5: 4bd2d60a5531d0e02a5609aa738531d3

Artifact 23: � 676-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 5d943a0d5231a19f06e166f53cbf42072ba72ece0c4464c5eb95ce30fe7c6c85Size: 20992Exports: 0AV Sigs: 0MD5: 75d1d84939021d5e28484a05c856063f

Artifact 24: � executable.540.exeSrc: memoryImports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 5df31b0a945534b70520ca6bf6a836a295090d036758ff3c93d4528d5b1d527eSize: 141824Exports: 0AV Sigs: 0MD5: 9d62d4a1d97323269d29208ed4971552

5/6/2016 feca4ffca4701fdaa076625269946d71




Related to: 1104 (WINWORD.EXE)


Imports: 0

Type: PE - PE32 executable (native) Intel 80386, for MS Windows

SHA256: 60f42c2127ad04f84b3ec0b58bad59710c23b459d33762e32a9cbdeb045453eb

Size: 6144

Exports: 0

AV Sigs: 0

MD5: 0be80e8147962cc776054f9780270fac

Artifact 26: � 788-svchost.exeSrc: memory

Imports: 98


SHA256: 879da756ff518b7908fa90f4e323f17f78bb5a3aadf5d3a6f73515c11004043c

Size: 20992

Exports: 0

AV Sigs: 0

MD5: 26d71a676c7a77ffa4cba826c08e9016

Artifact 27: � 560-svchost.exeSrc: memory

Imports: 98


SHA256: 898ecaad4941e1b41b26a5fe3104e8ffb94a005a82b71f17f9593604288d045b

Size: 20992

Exports: 0

AV Sigs: 0

MD5: 74db76f94a70bc633aed2a94ae10a5f5

Artifact 28: � 1104-WINWORD.EXE

Src: memory

Imports: 57


SHA256: 8aa46afb000892b40198c1498ad2f69432bda64c9e5aaaf5f1f847f6f6531e27

Size: 1416192

Exports: 0

AV Sigs: 0

MD5: 28d0fcf57721351f7224ed461e4c7232


Imports: 0

Type: PE - PE32 executable (native) Intel 80386, for MS Windows

SHA256: 8c4883c367ce250ad150ac104fd14d94ff58c413ce341dfd0098927a4a0a3968

Size: 69632

Exports: 0

AV Sigs: 0

MD5: 6b673f258a38c5a68828d477ecc8ace5


5/6/2016 feca4ffca4701fdaa076625269946d71


Related to: 388 (winlogon.exe)



Related to: 1160 (Explorer.EXE)

Imports: 0Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 8d5e184df895b4fec4d0f6a513bcba252022e4679f5c92cf1b18729104370ac6Size: 49152Exports: 0AV Sigs: 0MD5: 21e05b77c7d0c262fae72932f65b646d

Artifact 31: � 388-winlogon.exeSrc: memoryImports: 338Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: 8e20ea3184bf7bb065ad51d26159f386d551a5ddde646b0669fa2d58c9cfe7bdSize: 286720Exports: 0AV Sigs: 0MD5: 217ae145e13184357ff7cf7191a1fb7a

Artifact 32: � executable.292.exeSrc: memoryImports: 0Type: PE - PE32 executable (native) Intel 80386, for MS WindowsSHA256: aada648873c89f8c7fdabb5c94672c1db6c8d878748abf43bcc6010965b1f5a2Size: 6144Exports: 0AV Sigs: 0MD5: 60e8fb609b096db6a11cc1ce2129faa1

Artifact 33: � 824-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: ae5080cac58b1faf8f0841c0e1e85a3f6a7a55d626368c1f150ed6377884ed06Size: 20992Exports: 0AV Sigs: 0MD5: f07b8e93568ca5ecb9a7d66a04147f98

Artifact 34: � 1008-svchost.exeSrc: memoryImports: 98Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: bab30518bdb484b53871a1737d7d56c19962991c176869c170bce7b04839c8e3Size: 20992Exports: 0AV Sigs: 0MD5: a7ec42706419643dfeb82aba34ec12d4

Artifact 35: � 1160-Explorer.EXESrc: memoryImports: 500Type: PE - PE32 executable (GUI) Intel 80386, for MS WindowsSHA256: bc00bcf96b757db683e962fc9ad5d0ce8c9c40bdcb4ae6e6d500ea7d46f480a2

5/6/2016 feca4ffca4701fdaa076625269946d71


Related to: 912 (OSPPSVC.EXE)

Related to: 440 (lsass.exe)


Size: 2616320

Exports: 0

AV Sigs: 0

MD5: 4b846e12badc6bbf2ee9301bfe3e89e4

Artifact 36: � 912-OSPPSVC.EXESrc: memory

Imports: 215

Type: PE - PE32 executable (console) Intel 80386, for MS Windows

SHA256: dd399d329b7609863ccdc0c31e0b71285967563950418987346c2d35efbcd301

Size: 4633088

Exports: 0

AV Sigs: 0

MD5: 530ea7d84c8adb3c31899abc93afa748


Imports: 0


SHA256: e4ee98c0cbe5beea324a4c22d32b1e0cdbef05f0ea7da7c2a3d1a98d8b40ab8b

Size: 20992

Exports: 0

AV Sigs: 0

MD5: 9162f2459c6e468f250a95f31466436d

Artifact 38: � 440-lsass.exeSrc: memory

Imports: 91


SHA256: e64e492005ca0ae44ed67937666a5ececdb68b836a96ddd8009c83a2e357c38c

Size: 22528

Exports: 0

AV Sigs: 0

MD5: 205ad3669c371e43b969ebc82c8e9396


Imports: 0


SHA256: f02ae58e4aaf00714172f165a054ab3adb4c3b3eaea5e6faf14a5dd9f7ac3c0c

Size: 20992

Exports: 0

AV Sigs: 0

MD5: 443caf7b57db8841b19f20dee7f34fd9

Artifact 40: � e5cbeeaec2935cc0008353ea304af53ea243d...634fd1faa62c6fce.doc

Src: submitted

Imports: 0

Type: DOC - Composite Document File V2 Document, Little Endian,...

SHA256: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce

Size: 110080

Exports: 0

5/6/2016 feca4ffca4701fdaa076625269946d71







AV Sigs: 1MD5: 35c2ea75be38d1d1cb902bef11d83993

Artifact 41: � ⧵dataSrc: extractedImports: 0Type: dataSHA256: cf171cc1c525c7e8069ae1d6e0e42a4593ec934d7721364a0b926ce806a52845Size: 11413Exports: 0AV Sigs: 0MD5: 644a29d62742fb2b4390d8e9ac05265d

Artifact 42: � ⧵1tableSrc: extractedImports: 0Type: dataSHA256: ab31e984ffe872ab579f6f3540c321584002d545c8cd005972f24704da1d2adcSize: 14005Exports: 0AV Sigs: 0MD5: 7f56724b4a25a76dea8aa693a0f3a1d3

Artifact 43: � ⧵worddocumentSrc: extractedImports: 0Type: dataSHA256: 9fab2a3ea625db4f60a71d98ef9ce7e36b76fb5a1daf0964edc6885da793888fSize: 13984Exports: 0AV Sigs: 0MD5: 99afc824fe8bc37b51f37094c88d0a7a

Artifact 44: � ⧵s⧵⧵5summaryinformationSrc: extractedImports: 0Type: dataSHA256: fb149c6c04c691d966e79ac721baa60594e0080b7aad9e5ee333b09dabfd83aeSize: 4096Exports: 0AV Sigs: 0MD5: abc6163c6f064e5b3fba76533fcf6e8d

Artifact 45: � ⧵s⧵⧵5documentsummaryinformationSrc: extractedImports: 0Type: dataSHA256: 138794ad0e2b2547cd4607eaf6c7ea80066488b51e355c5601fc974c40975365Size: 4096Exports: 0AV Sigs: 0MD5: 7ae8730c9fd5e7a1764fd7cb548ff325

5/6/2016 feca4ffca4701fdaa076625269946d71








Artifact 46: � ⧵macros⧵vba⧵thisdocumentSrc: extractedImports: 0Type: dataSHA256: a2948ce234760f39b55eee26875c77d2cb0c89899847afabf2273a3ffe554540Size: 7814Exports: 0AV Sigs: 0MD5: 1d4ac259729f17a70b969d6119b6d984

Artifact 47: � ⧵macros⧵vba⧵__srp_2Src: extractedImports: 0Type: dataSHA256: 5b1135837c41d13bfbb0268570ac5b33aecda81b4bc1d8e8d2dcc19241200b4bSize: 3112Exports: 0AV Sigs: 0MD5: 77fc0fc2c43bc1c8a86d74241e86980b

Artifact 48: � ⧵macros⧵vba⧵__srp_3Src: extractedImports: 0Type: dataSHA256: 52e5272bf4b5089e132b837e0dc995e131258ad137d32e47ad6a2472fd617993Size: 1430Exports: 0AV Sigs: 0MD5: 1cda4e58359f3a1d8004a7c3c31d7afc

Artifact 49: � ⧵macros⧵vba⧵kadlcyihkSrc: extractedImports: 0Type: dataSHA256: 40340db6e6e1d28089cf9738d5d40795031b8c7812adb35e62619e32bd02897bSize: 1181Exports: 0AV Sigs: 0MD5: a9be4ede135e6d9360f6dc1503f85af8

Artifact 50: � ⧵macros⧵vba⧵xesuifuquqjcprlSrc: extractedImports: 0Type: dataSHA256: f2c0f9b893a4487b31bc61baa385e00e7962d5c7918d71872e6b5217caee19b5Size: 5169Exports: 0AV Sigs: 0MD5: c4ce549dacf4d66d1f4685814fe5508b

Artifact 51: � ⧵macros⧵vba⧵tckkopvxvcxbSrc: extracted

5/6/2016 feca4ffca4701fdaa076625269946d71







Imports: 0Type: dataSHA256: 919eb71476c664d33c2f66ff9a387871d7f27ff1970bf7a85850a2dc0f087f59Size: 5602Exports: 0AV Sigs: 0MD5: fe698826aeaa43b22bab08d76e9724cc

Artifact 52: � ⧵macros⧵vba⧵zzqurfe1Src: extractedImports: 0Type: dataSHA256: f9de38ee5b50f6e7cf9e9d0945e5e2bdf178b682a56ac2af9ad245d809061bf4Size: 3645Exports: 0AV Sigs: 0MD5: a8aa2b121b18cc867df8aba5dd578806

Artifact 53: � ⧵macros⧵vba⧵ygkkmfpvlSrc: extractedImports: 0Type: dataSHA256: af65895afc2735887bb090c7eb3726bffbfd2f1b2db7d8391a7cb4e2418ecd42Size: 4007Exports: 0AV Sigs: 0MD5: d5faf98cefff312e8721f0f1e6fc49e3

Artifact 54: � ⧵macros⧵vba⧵_vba_projectSrc: extractedImports: 0Type: dataSHA256: e9d688db1f738942534b298fb38ce371d086cb37ef1f96d77a8ecfdaa3b002e9Size: 7830Exports: 0AV Sigs: 0MD5: e8f82685ef9283077b91968d2fe4dccc

Artifact 55: � ⧵macros⧵vba⧵dirSrc: extractedImports: 0Type: dataSHA256: bbc5a0603ce661c12f76999cc8ed276549454ad91ef6de55cfd2baa0f075165bSize: 1057Exports: 0AV Sigs: 0MD5: 399873f862464a45f38e7fb3a1da1280

Artifact 56: � ⧵macros⧵vba⧵__srp_0Src: extractedImports: 0Type: dataSHA256: a3df7bba43243b315c30db226ad95a22ac4c6d70fe79ad411371b05ac7f1df69

5/6/2016 feca4ffca4701fdaa076625269946d71







Size: 2988Exports: 0AV Sigs: 0MD5: 8b955f3a2b8386848a1ec1722b2ad6fb

Artifact 57: � ⧵macros⧵vba⧵__srp_1Src: extractedImports: 0Type: dataSHA256: 124fc78beac03408cb19978deb3f15fb38f792e00570fa57df3de564a43c52ecSize: 537Exports: 0AV Sigs: 0MD5: 1855eb0c4b91ed82a1f964b6363a4e81

Artifact 58: � ⧵macros⧵kadlcyihk⧵fSrc: extractedImports: 0Type: dataSHA256: 1122b587307c15f6bc14fe6c9b2a499cc505cda826f81671ca784d8cbbcb16e1Size: 2386Exports: 0AV Sigs: 0MD5: 3b5d20900a1943776037babc69821da4

Artifact 59: � ⧵macros⧵kadlcyihk⧵oSrc: extractedImports: 0Type: dataSHA256: b0635c9dcebe4d35240ff49fd9252438149ec75317a059a51123c096811823fbSize: 4492Exports: 0AV Sigs: 0MD5: 3c5a87c70e0e25dd5a0de39a8ce60d0f

Artifact 60: � ⧵macros⧵kadlcyihk⧵s⧵⧵1compobjSrc: extractedImports: 0Type: dataSHA256: 057e3d39cd6e6b882c9cebfb56920db712f49cd628b35bf58e1fd544c0bea20bSize: 97Exports: 0AV Sigs: 0MD5: 8b485527ad9d96fe72d3fba385f0ad95

Artifact 61: � ⧵macros⧵kadlcyihk⧵s⧵⧵3vbframeSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: a29a3aed6332864847289f3b9c0bfb0f6bbcf533a52fdebf7375e8626f92552cSize: 296Exports: 0AV Sigs: 0

5/6/2016 feca4ffca4701fdaa076625269946d71








MD5: 9644d7f5a99bc93fa45867e6d54e7329

Artifact 62: � ⧵macros⧵projectwmSrc: extractedImports: 0Type: dataSHA256: aacc2c9c7b95c254d9cfec5965022f160c676080b9fe1a47320fb29ed927d4a0Size: 215Exports: 0AV Sigs: 0MD5: 7f6bc44e5b93723c31e18ed591dfaf87

Artifact 63: � ⧵macros⧵projectSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: bb21fcdda8d0ad7fcf20895542c3f5b88039cfb8bcf49d97325d8117ceb1454dSize: 702Exports: 0AV Sigs: 0MD5: dc177f6ab2b99e1af9db963574b7a011

Artifact 64: � ⧵s⧵⧵1compobjSrc: extractedImports: 0Type: dataSHA256: f70fe384c672865fff4bb8ab60d73098bc751e8f2aa915b8aff2e2085648b428Size: 114Exports: 0AV Sigs: 0MD5: 367e9d6e505ece35eba2c1469c5cd664

Artifact 65: � ⧵dataSrc: extractedImports: 0Type: dataSHA256: cf171cc1c525c7e8069ae1d6e0e42a4593ec934d7721364a0b926ce806a52845Size: 11413Exports: 0AV Sigs: 0MD5: 644a29d62742fb2b4390d8e9ac05265d

Artifact 66: � ⧵1tableSrc: extractedImports: 0Type: dataSHA256: ab31e984ffe872ab579f6f3540c321584002d545c8cd005972f24704da1d2adcSize: 14005Exports: 0AV Sigs: 0MD5: 7f56724b4a25a76dea8aa693a0f3a1d3

Artifact 67: � ⧵worddocument

5/6/2016 feca4ffca4701fdaa076625269946d71







Src: extractedImports: 0Type: dataSHA256: 9fab2a3ea625db4f60a71d98ef9ce7e36b76fb5a1daf0964edc6885da793888fSize: 13984Exports: 0AV Sigs: 0MD5: 99afc824fe8bc37b51f37094c88d0a7a

Artifact 68: � ⧵s⧵⧵5summaryinformationSrc: extractedImports: 0Type: dataSHA256: fb149c6c04c691d966e79ac721baa60594e0080b7aad9e5ee333b09dabfd83aeSize: 4096Exports: 0AV Sigs: 0MD5: abc6163c6f064e5b3fba76533fcf6e8d

Artifact 69: � ⧵s⧵⧵5documentsummaryinformationSrc: extractedImports: 0Type: dataSHA256: 138794ad0e2b2547cd4607eaf6c7ea80066488b51e355c5601fc974c40975365Size: 4096Exports: 0AV Sigs: 0MD5: 7ae8730c9fd5e7a1764fd7cb548ff325

Artifact 70: � ⧵macros⧵vba⧵thisdocumentSrc: extractedImports: 0Type: dataSHA256: a2948ce234760f39b55eee26875c77d2cb0c89899847afabf2273a3ffe554540Size: 7814Exports: 0AV Sigs: 0MD5: 1d4ac259729f17a70b969d6119b6d984

Artifact 71: � ⧵macros⧵vba⧵__srp_2Src: extractedImports: 0Type: dataSHA256: 5b1135837c41d13bfbb0268570ac5b33aecda81b4bc1d8e8d2dcc19241200b4bSize: 3112Exports: 0AV Sigs: 0MD5: 77fc0fc2c43bc1c8a86d74241e86980b

Artifact 72: � ⧵macros⧵vba⧵__srp_3Src: extractedImports: 0Type: data

5/6/2016 feca4ffca4701fdaa076625269946d71







SHA256: 52e5272bf4b5089e132b837e0dc995e131258ad137d32e47ad6a2472fd617993Size: 1430Exports: 0AV Sigs: 0MD5: 1cda4e58359f3a1d8004a7c3c31d7afc

Artifact 73: � ⧵macros⧵vba⧵kadlcyihkSrc: extractedImports: 0Type: dataSHA256: 40340db6e6e1d28089cf9738d5d40795031b8c7812adb35e62619e32bd02897bSize: 1181Exports: 0AV Sigs: 0MD5: a9be4ede135e6d9360f6dc1503f85af8

Artifact 74: � ⧵macros⧵vba⧵xesuifuquqjcprlSrc: extractedImports: 0Type: dataSHA256: f2c0f9b893a4487b31bc61baa385e00e7962d5c7918d71872e6b5217caee19b5Size: 5169Exports: 0AV Sigs: 0MD5: c4ce549dacf4d66d1f4685814fe5508b

Artifact 75: � ⧵macros⧵vba⧵tckkopvxvcxbSrc: extractedImports: 0Type: dataSHA256: 919eb71476c664d33c2f66ff9a387871d7f27ff1970bf7a85850a2dc0f087f59Size: 5602Exports: 0AV Sigs: 0MD5: fe698826aeaa43b22bab08d76e9724cc

Artifact 76: � ⧵macros⧵vba⧵zzqurfe1Src: extractedImports: 0Type: dataSHA256: f9de38ee5b50f6e7cf9e9d0945e5e2bdf178b682a56ac2af9ad245d809061bf4Size: 3645Exports: 0AV Sigs: 0MD5: a8aa2b121b18cc867df8aba5dd578806

Artifact 77: � ⧵macros⧵vba⧵ygkkmfpvlSrc: extractedImports: 0Type: dataSHA256: af65895afc2735887bb090c7eb3726bffbfd2f1b2db7d8391a7cb4e2418ecd42Size: 4007Exports: 0

5/6/2016 feca4ffca4701fdaa076625269946d71







AV Sigs: 0MD5: d5faf98cefff312e8721f0f1e6fc49e3

Artifact 78: � ⧵macros⧵vba⧵_vba_projectSrc: extractedImports: 0Type: dataSHA256: e9d688db1f738942534b298fb38ce371d086cb37ef1f96d77a8ecfdaa3b002e9Size: 7830Exports: 0AV Sigs: 0MD5: e8f82685ef9283077b91968d2fe4dccc

Artifact 79: � ⧵macros⧵vba⧵dirSrc: extractedImports: 0Type: dataSHA256: bbc5a0603ce661c12f76999cc8ed276549454ad91ef6de55cfd2baa0f075165bSize: 1057Exports: 0AV Sigs: 0MD5: 399873f862464a45f38e7fb3a1da1280

Artifact 80: � ⧵macros⧵vba⧵__srp_0Src: extractedImports: 0Type: dataSHA256: a3df7bba43243b315c30db226ad95a22ac4c6d70fe79ad411371b05ac7f1df69Size: 2988Exports: 0AV Sigs: 0MD5: 8b955f3a2b8386848a1ec1722b2ad6fb

Artifact 81: � ⧵macros⧵vba⧵__srp_1Src: extractedImports: 0Type: dataSHA256: 124fc78beac03408cb19978deb3f15fb38f792e00570fa57df3de564a43c52ecSize: 537Exports: 0AV Sigs: 0MD5: 1855eb0c4b91ed82a1f964b6363a4e81

Artifact 82: � ⧵macros⧵kadlcyihk⧵fSrc: extractedImports: 0Type: dataSHA256: 1122b587307c15f6bc14fe6c9b2a499cc505cda826f81671ca784d8cbbcb16e1Size: 2386Exports: 0AV Sigs: 0MD5: 3b5d20900a1943776037babc69821da4

5/6/2016 feca4ffca4701fdaa076625269946d71








Artifact 83: � ⧵macros⧵kadlcyihk⧵oSrc: extractedImports: 0Type: dataSHA256: b0635c9dcebe4d35240ff49fd9252438149ec75317a059a51123c096811823fbSize: 4492Exports: 0AV Sigs: 0MD5: 3c5a87c70e0e25dd5a0de39a8ce60d0f

Artifact 84: � ⧵macros⧵kadlcyihk⧵s⧵⧵1compobjSrc: extractedImports: 0Type: dataSHA256: 057e3d39cd6e6b882c9cebfb56920db712f49cd628b35bf58e1fd544c0bea20bSize: 97Exports: 0AV Sigs: 0MD5: 8b485527ad9d96fe72d3fba385f0ad95

Artifact 85: � ⧵macros⧵kadlcyihk⧵s⧵⧵3vbframeSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: a29a3aed6332864847289f3b9c0bfb0f6bbcf533a52fdebf7375e8626f92552cSize: 296Exports: 0AV Sigs: 0MD5: 9644d7f5a99bc93fa45867e6d54e7329

Artifact 86: � ⧵macros⧵projectwmSrc: extractedImports: 0Type: dataSHA256: aacc2c9c7b95c254d9cfec5965022f160c676080b9fe1a47320fb29ed927d4a0Size: 215Exports: 0AV Sigs: 0MD5: 7f6bc44e5b93723c31e18ed591dfaf87

Artifact 87: � ⧵macros⧵projectSrc: extractedImports: 0Type: ASCII text, with CRLF line terminatorsSHA256: bb21fcdda8d0ad7fcf20895542c3f5b88039cfb8bcf49d97325d8117ceb1454dSize: 702Exports: 0AV Sigs: 0MD5: dc177f6ab2b99e1af9db963574b7a011

Artifact 88: � ⧵s⧵⧵1compobjSrc: extracted

5/6/2016 feca4ffca4701fdaa076625269946d71


Files Created: 1 Files Read: 22 Files Modified: 13 Files Deleted: 2

Imports: 0Type: dataSHA256: f70fe384c672865fff4bb8ab60d73098bc751e8f2aa915b8aff2e2085648b428Size: 114Exports: 0AV Sigs: 0MD5: 367e9d6e505ece35eba2c1469c5cd664

Registry ActivityCreated Keys

Deleted Keys

Modified Keys

Deleted Key Values

FilesystemActivity

All information contained in this report is confidential and proprietary information belonging solely to ThreatGRID,Inc.

This document is client confidential and is intended for internal customer use only. The information contained hereinis the property of ThreatGRID and may not be copied, used or disclosed in whole or in part, stored in a retrievalsystem or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise)without the prior written permission of ThreatGRID.

Generated by ThreatBRAIN

Documents

Analysis Report - Cisco Community5/6/2016 feca4ffca4701fdaa076625269946d71 1/24 Severity: 90 Conﬁdence: 90 Severity: 70