Loading ...

Analysis Report https://onedrive.live.com/view.aspx?resid=ce03545ddabfb173!450&ithint=file%2cdocx&app=word&authkey=!amrvnoxxznyrscg&data

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109773
Start date:11.02.2019
Start time:17:48:20
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://onedrive.live.com/view.aspx?resid=ce03545ddabfb173!450&ithint=file%2cdocx&app=word&authkey=!amrvnoxxznyrscg&data
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.win@3/317@18/3
Cookbook Comments:
  • Adjust boot time
  • Browsing link: https://login.live.com/gls.srf?urlid=msnprivacystatement&mkt=en-us&vv=1600
  • Browsing link: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https:%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033
  • Browsing link: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=web
  • Browsing link: https://login.live.com/gls.srf?urlid=winlivetermsofuse&mkt=en-us&vv=1600
  • Browsing link: https://login.live.com/pp1600/#
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold20 - 100Report FP / FNfalseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


Phishing:

barindex
Found iframesShow sources
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fview.aspx%3Fresid%3Dce03545ddabfb173!450%26ithint%3Dfile%2Cdocx%26app%3Dword%26authkey%3D!amrvnoxxznyrscg%26data&lc=1033&id=250206&cbcxt=sky&cbcxt=skyHTTP Parser: Iframe src: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
HTML body contains low number of good linksShow sources
Source: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=webHTTP Parser: Number of links: 0
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: Number of links: 0
HTML title does not match URLShow sources
Source: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=webHTTP Parser: Title: Recover your username does not match URL
Source: https://login.live.com/pp1600/#HTTP Parser: Title: Sign in to your Microsoft account does not match URL
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: Title: Create account does not match URL
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fview.aspx%3Fresid%3Dce03545ddabfb173!450%26ithint%3Dfile%2Cdocx%26app%3Dword%26authkey%3D!amrvnoxxznyrscg%26data&lc=1033&id=250206&cbcxt=sky&cbcxt=skyHTTP Parser: Title: OneDrive does not match URL
Submit button contains javascript callShow sources
Source: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=webHTTP Parser: On click: HOSTUI.evt_inlineBack_onclick();
Source: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=webHTTP Parser: On click: HOSTUI.evt_inlineBack_onclick();
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: On click: OnBack(); return false;
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: On click: HOSTUI.evt_inlineBack_onclick();
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: On click: HOSTUI.evt_inlineBack_onclick();
META author tag missingShow sources
Source: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=webHTTP Parser: No <meta name="author".. found
Source: https://login.live.com/pp1600/#HTTP Parser: No <meta name="author".. found
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: No <meta name="author".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fview.aspx%3Fresid%3Dce03545ddabfb173!450%26ithint%3Dfile%2Cdocx%26app%3Dword%26authkey%3D!amrvnoxxznyrscg%26data&lc=1033&id=250206&cbcxt=sky&cbcxt=skyHTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%3den-us%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1549903747%26rver%3d6.7.6643.0%26wp%3dmbi_ssl_shared%26wreply%3dhttps:%252f%252fonedrive.live.com%252fview.aspx%253fresid%253dce03545ddabfb173!450%2526ithint%253dfile%252cdocx%2526app%253dword%2526authkey%253d!amrvnoxxznyrscg%2526data%26lc%3d1033%26id%3d250206%26cbcxt%3dsky%26cbcxt%3dsky%26contextid%3d56a88cf992abef18%26bk%3d1549903748&id=250206&mkt=en-us&lc=1033&uiflavor=webHTTP Parser: No <meta name="copyright".. found
Source: https://login.live.com/pp1600/#HTTP Parser: No <meta name="copyright".. found
Source: https://signup.live.com/?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=mbi_ssl_shared&wreply=https%3a%2f%2fonedrive.live.com%2fview.aspx%3fresid%3dce03545ddabfb173!450%26ithint%3dfile%2cdocx%26app%3dword%26authkey%3d!amrvnoxxznyrscg%26data&id=250206&cbcxt=sky&cbcxt=sky&contextid=56a88cf992abef18&bk=1549903748&uiflavor=web&mkt=en-us&lc=1033&lic=1HTTP Parser: No <meta name="copyright".. found
Source: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1549903747&rver=6.7.6643.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fview.aspx%3Fresid%3Dce03545ddabfb173!450%26ithint%3Dfile%2Cdocx%26app%3Dword%26authkey%3D!amrvnoxxznyrscg%26data&lc=1033&id=250206&cbcxt=sky&cbcxt=skyHTTP Parser: No <meta name="copyright".. found

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: servicesagreement[1].htm.3.drString found in binary or memory: record is used. Microsoft does not support non-Microsoft credentials (such as Facebook and OpenID), so HealthVault customer equals www.facebook.com (Facebook)
Source: odcstorageinfo.resx-00e3db72[1].js.3.drString found in binary or memory: one place for your work and life. Store and share documents, photos, and more in the cloud.",referralLinkText:"For each friend who signs into OneDrive as a new customer, both you and your friend will receive an extra 0.5 GB of free storage (max {0}).",invitesSent:"Invites were sent",sendingInvites:"Sending invites",mailWarning:"Note that the invitation to OneDrive is not available to people living in the European Union member states, Australia and New Zealand. You can still invite them by posting to Facebook, Twitter or LinkedIn."}});define("odsp-next/models/sharing/SharingNetwork.resx",["require","exports"],function(e,o){o.strings={facebook:"Facebook",twitter:"Twitter",linkedin:"LinkedIn",weibo:"Sina Weibo"}});define("odsp-next/controls/autoFillPopup/AutoFill.resx",["require","exports"],function(e,o){o.strings={NoResults:"No results",ResultsCapped:"Showing top results",SuggestedPeopleMenu:"Suggested people"}});define("odsp-next/controls/persona/Persona.resx",["require","exports"],function(e,o){o.strings={Vi
Source: odcstorageinfo.resx-00e3db72[1].js.3.drString found in binary or memory: one place for your work and life. Store and share documents, photos, and more in the cloud.",referralLinkText:"For each friend who signs into OneDrive as a new customer, both you and your friend will receive an extra 0.5 GB of free storage (max {0}).",invitesSent:"Invites were sent",sendingInvites:"Sending invites",mailWarning:"Note that the invitation to OneDrive is not available to people living in the European Union member states, Australia and New Zealand. You can still invite them by posting to Facebook, Twitter or LinkedIn."}});define("odsp-next/models/sharing/SharingNetwork.resx",["require","exports"],function(e,o){o.strings={facebook:"Facebook",twitter:"Twitter",linkedin:"LinkedIn",weibo:"Sina Weibo"}});define("odsp-next/controls/autoFillPopup/AutoFill.resx",["require","exports"],function(e,o){o.strings={NoResults:"No results",ResultsCapped:"Showing top results",SuggestedPeopleMenu:"Suggested people"}});define("odsp-next/controls/persona/Persona.resx",["require","exports"],function(e,o){o.strings={Vi
Source: odcstorageinfo.resx-00e3db72[1].js.3.drString found in binary or memory: one place for your work and life. Store and share documents, photos, and more in the cloud.",referralLinkText:"For each friend who signs into OneDrive as a new customer, both you and your friend will receive an extra 0.5 GB of free storage (max {0}).",invitesSent:"Invites were sent",sendingInvites:"Sending invites",mailWarning:"Note that the invitation to OneDrive is not available to people living in the European Union member states, Australia and New Zealand. You can still invite them by posting to Facebook, Twitter or LinkedIn."}});define("odsp-next/models/sharing/SharingNetwork.resx",["require","exports"],function(e,o){o.strings={facebook:"Facebook",twitter:"Twitter",linkedin:"LinkedIn",weibo:"Sina Weibo"}});define("odsp-next/controls/autoFillPopup/AutoFill.resx",["require","exports"],function(e,o){o.strings={NoResults:"No results",ResultsCapped:"Showing top results",SuggestedPeopleMenu:"Suggested people"}});define("odsp-next/controls/persona/Persona.resx",["require","exports"],function(e,o){o.strings={Vi
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: <a target="_blank" class="mscom-link" href="https://aim.yahoo.com/aim/us/en/optout/">Flurry Analytics</a>, equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: onedrive.live.com
Urls found in memory or binary dataShow sources
Source: icons[1].eot.3.drString found in binary or memory: http://fontello.com
Source: icons[1].eot.3.drString found in binary or memory: http://fontello.comiconsRegulariconsiconsVersion
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: http://tools.google.com/dlpage/gaoptout
Source: odconedriveprefetch-3071708b[1].js.3.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: http://www.asp.net/ajaxlibrary/CDN.ashx.
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: http://www.clicktale.net/disable.html
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
Source: OneNote[1].js.3.drString found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: servicesagreement[1].htm.3.drString found in binary or memory: http://www.mpegla.com
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: http://www.nielsen-online.com/corp.jsp?section=leg_prs&amp;nav=1#Optoutchoices
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://aim.yahoo.com/aim/us/en/optout/
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://aka.ms/redeemrewards
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://aka.ms/taxservice
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474836617/Product_42949674936/Asset_1de07245-8dcf
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474836617/Product_42949675690/Asset_f77102bd-2587
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474836634/Product_42949675672/Asset_2bee3c23-4f84
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474836786/Product_42949674581/Asset_524b1481-bc6f
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474838893/Product_42949674599/Asset_8dae2c3d-ba6e
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474839925/Product_42949675087/Asset_1dc109b5-d3b5
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/Partner_21474840190/Product_42949675314/Asset_1ac6ebd4-b25c
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/product/42949673251/12bc03df-7566-4ac8-8274-41d17613a2ab/ef
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/product/42949673777/dcaed2d8-f265-444e-9c4b-33eb46239a0a/ch
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/product/42949673851/a8feb4f0-e27f-4f84-a77c-c18ec2610187/Wo
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/product/42949674199/17c67318-d9e1-4d5f-8476-89e50e3d618d/wo
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://az158878.vo.msecnd.net/marketing/product/42949674255/d91cf13f-11ae-41da-9584-27056708979b/IE
Source: OneNote[1].js.3.drString found in binary or memory: https://contentstorage.osi.office.net/images/2f4febe2cca96f7f.gif
Source: OneNote[1].js.3.drString found in binary or memory: https://contentstorage.osi.office.net/images/eb14b3fe6a1e1671.png
Source: OneNote.box4.dll1[1].js.3.drString found in binary or memory: https://edog.onenote.com
Source: OneNote[1].js.3.drString found in binary or memory: https://excel.uservoice.com/forums/274580-excel-online
Source: OneNote[1].js.3.drString found in binary or memory: https://excel.uservoice.com/tos
Source: OneNote[1].js.3.drString found in binary or memory: https://excel.uservoice.com/tos#privacy-policy
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://kissmetrics.com/user-privacy
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://mixer.com/about/tos
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://mixer.com/contact
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://mixpanel.com/optout
Source: WordEditor.box4.dll1[1].js.3.drString found in binary or memory: https://office.com
Source: WordEditor.box4.dll1[1].js.3.drString found in binary or memory: https://office.com/webapps
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://ondemand.webtrends.com/support/optout.asp
Source: OneNote[1].js.3.drString found in binary or memory: https://onenote.uservoice.com/forums/327183-onenote-online
Source: OneNote[1].js.3.drString found in binary or memory: https://onenote.uservoice.com/tos
Source: OneNote[1].js.3.drString found in binary or memory: https://onenote.uservoice.com/tos#privacy-policy
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://pinpointprod.blob.core.windows.net/marketing/Partner_21474840919/Product_42949675896/Asset_5
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://pinpointprod.blob.core.windows.net/marketing/Partner_21474841964/Product_42949676621/Asset_9
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://pinpointprod.blob.core.windows.net/marketing/Partner_21474842728/Product_42949677195/Asset_f
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://pinpointprod.blob.core.windows.net/marketing/Partner_21474844966/Product_42949678237/Asset_6
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://pinpointprod.blob.core.windows.net/marketing/product/42949674257/b074f0e2-eae8-4191-9b33-a72
Source: WordEditorIntl[1].js.3.drString found in binary or memory: https://pinpointprod.blob.core.windows.net/marketing/product/42949674437/b65aa6da-f4b1-4f8b-b04e-cf4
Source: OneNote[1].js.3.drString found in binary or memory: https://powerpoint.uservoice.com/forums/270149-powerpoint-online
Source: OneNote[1].js.3.drString found in binary or memory: https://powerpoint.uservoice.com/tos
Source: OneNote[1].js.3.drString found in binary or memory: https://powerpoint.uservoice.com/tos#privacy-policy
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://skype.com/go/myaccount
Source: OneNote[1].js.3.drString found in binary or memory: https://visio.uservoice.com/forums/368199-visio-online
Source: OneNote[1].js.3.drString found in binary or memory: https://visio.uservoice.com/tos
Source: OneNote[1].js.3.drString found in binary or memory: https://visio.uservoice.com/tos#privacy-policy
Source: OneNote[1].js.3.drString found in binary or memory: https://word.uservoice.com/forums/271331-word-online
Source: OneNote[1].js.3.drString found in binary or memory: https://word.uservoice.com/tos
Source: OneNote[1].js.3.drString found in binary or memory: https://word.uservoice.com/tos#privacy-policy
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.adr.org
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://www.appsflyer.com/optout
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.google.com/intl/en_ALL/help/terms_maps.html
Source: OneNote.box4.dll1[1].js.3.drString found in binary or memory: https://www.onenote.com
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://www.privacyshield.gov/welcome
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.skype.com
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.skype.com/go/allrates
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.skype.com/go/legal
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.skype.com/go/store.reactivate.credit
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.skype.com/go/ustax
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.skype.com/legal/broadcast
Source: PrivacyStatement[1].htm.3.drString found in binary or memory: https://www.visiblemeasures.com/viewer-settings-opt-out
Source: servicesagreement[1].htm.3.drString found in binary or memory: https://www.xbox.com/en-US/Legal/CodeOfConduct
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866

System Summary:

barindex
Binary contains paths to development resourcesShow sources
Source: OneNote[1].js.3.drBinary or memory string: function wac_MLa(a,b){var c=a.lastIndexOf(".");if(0>c)return b.val="",!1;b.val=a.substring(c,a.length);a=b.val;if(!wac_kL){wac_kL=new (wac_Fa.$$(String))(wac_ua());b=".3gp .aa .aac .aax .act .aiff .amr .ape .au .awb .dct .dss .dvf .flac .gsm .iklax .ivs .m4a .m4b .m4p .mmf .mp3 .mpc .msv .ogg .oga .mogg .opus .ra .rm .raw .sln .tta .vox .wav .webm .wma .wv".split(" ");for(var c=b.length,d=0;d<c;++d)wac_kL.W(b[d])}return wac_kL.qd(a)}function wac_Gy(a){return 32===a.Da()}
Classification labelShow sources
Source: classification engineClassification label: clean2.win@3/317@18/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF31C18605D2BD4287.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1176 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1176 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: if(!a.rc()||1!==a.Hd().Ta())return!1;wac_E2(this,!0);var b;try{this.rga.$fb(wac_bsb(this)),b=!0}catch(c){wac_c(6305673,307,wac_3f(),null),wac_b(17148117,307,50,"Known blocked access attempt handle in SystemClipboard: copy, {0}",wac_cn()),b=!1}wac_E2(this,!1);return b?!0:!1},vBa:function(a){if(this.pDb)return!0;var b=wac_tw(this.Ob);if(!b.rc()||!b.Hd().gg())return!1;var c=b.Hd(),b=wac_CU(this.nb);wac_E2(this,!0);var d=new wac_Lh(b),e=!1;try{e=this.rga.vBa(b,function(){wac_s2a(c.iv)},function(){c.IX()})}catch(f){wac_c(6305674, source: OneNote.box4.dll1[1].js.3.dr
Source: Binary string: this.tp.insertBefore(this.hq._element,this.NS);wac_xk(this.ih,"app");wac_C(wac_x(),798637440,1,wac_xg.AQ,96);wac_C(wac_x(),214409533,1,wac_xg.AQ,96);this.ma=new wac_hw(this);this.Iq&&this.Iq.dQa(this);if(wac_q(wac_p.N,"Box4DelayedPackageInitEnabled")){var d=this;wac_6g(window.Common.App.AppLifecycleManager.get_instance(),6,function(){wac_6ya(d)},3)}else wac_6ya(this);this.PDb=new wac_Qh;this.PDb.aa(this.py);wac_hj(wac_p.xd,this);this.kB();wac_kda(b);this.ma&&wac_iw(this.ma)&&wac_7ya(wac_iw(this.ma))} source: OneNote[1].js.3.dr
Source: Binary string: c.Kd().Command,!1,"TouchGroup"===c.Kb(),!1,c.Kd(),!1,null);for(var c=wac_6X(c.J),d=0;d<c.length;d++)a.Wb(this.qQa(c[d],b));return a},qQa:function(a,b){a=new wac_4X(a);var c=a.Kd().Id;a=wac_6X(a.J);var d=2;2===a.length&&(d=3);c=new wac_eZ(this.va,c,d,2,1,!1,!1,null,"",1);for(d=0;d<a.length;d++){var e=new wac_4X(a[d]),f=wac_5X(e.J,"Controls"),f=wac_6X(f);this.Pdb(wac_fZ(c,d+1),f,e.Kd().Id,b)}return c},Pdb:function(a,b,c,d){for(c=0;c<b.length;c++)if(!wac_yY(this,b[c])){var e=new wac_4X(b[c]),f=this.EA(b[c], source: OneNote.box4.dll1[1].js.3.dr
Source: Binary string: function wac_csb(a,b){a.pDb=!1;wac_Wea?(wac_fab(wac_kab||(wac_kab=new wac_eab),null,null),a.yjb(b)):(a=new wac_xh,wac_yh(a,0),wac_8n(a,CommonUIStrings.l_ClipboardAccessDeniedTitle,CommonUIStrings.l_ClipboardAccessDenied,null))}function wac_E2(a,b){a.Bad=b;a.pc.cOa=b}function wac_erb(a){this.oy=a} source: OneNote.box4.dll1[1].js.3.dr
Source: Binary string: "SimSun";wac_nv=21;break;case 1028:wac_mv="PMingLiU",wac_nv=24}else switch(wac_p.Yf){case 1041:wac_mv=CommonUIStrings.l_MSGothic;wac_nv=20;break;case 1042:wac_mv=CommonUIStrings.l_MalgunGothic;wac_nv=20;break;case 2052:wac_mv=CommonUIStrings.l_SimSun;wac_nv=20;break;case 1028:wac_mv=CommonUIStrings.l_PMingLiU,wac_nv=24}c=document.getElementById(a.ClientId);wac_afa(window.Box4.App.Wdd().La(this,c));wac_Sfa(a.HostEditUrl);this.ZTb(a);wac_Mfa(this,wac_s().PDb,a,this.Gwb);wac_ji.Application=2===window.Box4.App.wd? source: OneNote[1].js.3.dr
Source: Binary string: 307,!wac_1f(),null)}d.zo();wac_E2(this,!1);e?this.pDb=!0:wac_1f()||wac_csb(this,a);return e},yjb:function(a){var b=wac_tw(this.Ob);b.rc()?(b=b.vi(),wac_jrb(a,b)):wac_b(18425104,307,50,"CopyPasteShortcutDialog showed for copy in {0}, but we couldn't get the element type.",wac_cn())}};function wac_bsb(a){return(a=wac_LU(a.nb))?a.pF:null} source: OneNote.box4.dll1[1].js.3.dr
Source: Binary string: wac_E1b.prototype={ea:null,yv:null,Yb:function(){return"WordEditor.CatchUpActivity"},Pb:null,Nf:function(){return this.Pb||(this.Pb=wac_m(this.ea,wac_gu))},Xb:function(a){this.ea=a},ob:function(){var a=this;wac_Bu(this.Nf()).CWo(function(){a.Nf().Dc(12)&&window.Box4.App.M$.pdb.Tb(function(){wac_Rg(window.Common.App.AppLifecycleManager.get_instance(),7,function(){wac_m(a.ea,wac_6b).zv.kR("catchUpActivity").catch(function(a){return wac_b(36229138,377,10,"Failed to load the resources for the CatchUpActivity feature: {0}", source: WordEditor.box4.dll1[1].js.3.dr
Source: Binary string: 3!==f&&4!==f||this.laa(wac_fZ(e,2),a[1],b,this.VMa),4===f&&this.laa(wac_fZ(e,3),a[2],b,this.VMa);else if(5===f)for(c=0;c<a.length;c++)e.Wb(this.Pdb(a[c],b,this.VMa));return e},Pdb:function(a,b,c){var d=new wac_4X(a),e=d.Kd().Id;a=d.Kd().DisplayMode;var f=d.Kd().Height,g=1;"Right"===d.Kd().TextAlign&&(g=2);e=new wac_1Z(this.va,e,g,f);d=wac_5X(d.J,"Controls");wac_g(d)?this.va.lIa[e._id]=e:(d=wac_6X(d),wac_fgb(this,b,c,d,e,a));return e},laa:function(a,b,c,d){var e=new wac_4X(b);b=e.Kd().DisplayMode; source: OneNote.box4.dll1[1].js.3.dr

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 109773 URL: https://onedrive.live.com/view.aspx?resid=ce03545ddabfb17... Startdate: 11/02/2019 Architecture: WINDOWS Score: 2 5 iexplore.exe 6 84 2->5         started        process3 7 iexplore.exe 1 362 5->7         started        dnsIp4 10 aa-hip-prod.southcentralus.cloudapp.azure.com 104.215.74.84, 443, 49867, 49868 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 7->10 12 aa-hip-prod.eastus.cloudapp.azure.com 23.96.111.19, 443, 49869, 49870 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 7->12 14 21 other IPs or domains 7->14

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.