Loading ...

Play interactive tourEdit tour

Analysis Report Apple Invoice.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:203498
Start date:26.01.2020
Start time:23:22:34
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 36s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Apple Invoice.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus22.phis.winDOC@4/46@2/2
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Browse link: https://t.umblr.com/redirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYTJjNDRkNzAzMzkyMTY3ODNmMmQzODQzOTUyZDUzNzNkOSxtUGNnb3ZFUQ%3D%3D&b=t%3A86EixzE49DWseK7VEF3cIQ&p=https%3A%2F%2Fksdahfsollmfsd.tumblr.com%2Fpost%2F190476608701&m=1
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe
  • TCP Packets have been reduced to 100
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.32.27, 52.109.124.18, 52.114.128.10, 104.121.177.139, 40.67.254.36, 72.21.81.200, 152.199.19.161
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, wns.notify.windows.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, prd.col.aria.mobile.skypedata.akadns.net, go.microsoft.com, db5p.wns.notify.windows.com.akadns.net, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, config.edge.skype.com, pipe.cloudapp.aria.akadns.net, client.wns.windows.com, afdo-tas-offload.trafficmanager.net, ie9comview.vo.msecnd.net, prod.configsvc1.live.com.akadns.net, s-0001.s-msedge.net, prod.nexusrules.live.com.akadns.net, emea2.notify.windows.com.akadns.net, pipe.skype.com, config.officeapps.live.com, go.microsoft.com.edgekey.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold220 - 100falsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsExtra Window Memory Injection1Process Injection1Network SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionExtra Window Memory Injection1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Phishing:

barindex
Phishing site detected (based on favicon image match)Show sources
Source: https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a&locale=de_CHMatcher: Template: apple matched with high similarity
HTML body contains low number of good linksShow sources
Source: https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a&locale=de_CHHTTP Parser: Number of links: 0
No HTML title foundShow sources
Source: https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a&locale=de_CHHTTP Parser: HTML title missing
META author tag missingShow sources
Source: https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a&locale=de_CHHTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a&locale=de_CHHTTP Parser: No <meta name="copyright".. found

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)Show sources
Source: winword.exeMemory has grown: Private usage: 3MB later: 68MB

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 66.6.33.31 66.6.33.31
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x095da5cb,0x01d5d4e3</date><accdate>0x095da5cb,0x01d5d4e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x095da5cb,0x01d5d4e3</date><accdate>0x095da5cb,0x01d5d4e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0962a392,0x01d5d4e3</date><accdate>0x0962a392,0x01d5d4e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0962a392,0x01d5d4e3</date><accdate>0x0965199f,0x01d5d4e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x09677cdd,0x01d5d4e3</date><accdate>0x09677cdd,0x01d5d4e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x09677cdd,0x01d5d4e3</date><accdate>0x09677cdd,0x01d5d4e3</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: t.umblr.com
Urls found in memory or binary dataShow sources
Source: bootstrap.min[1].css.6.drString found in binary or memory: http://getbootstrap.com)
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
Source: 31642[1].ttf.6.drString found in binary or memory: http://www.linotype.com0
Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.aadrm.com/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.onedrive.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://augloop.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://cdn.entity.
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://clients.config.office.net/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://config.edge.skype.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://cr.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://devnull.onenote.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://directory.services.
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: bootstrap.min[1].css.6.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://graph.windows.net
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://graph.windows.net/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: jquery.validate.min[1].js.6.drString found in binary or memory: https://jqueryvalidation.org/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://lifecycle.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://login.windows.local
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://management.azure.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://management.azure.com/
Source: {3088238E-40D6-11EA-AADB-C25F135D3C65}.dat.5.dr, ~DF3DDFDD04C375F6FA.TMP.5.drString found in binary or memory: https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a
Source: redirect[1].htm.6.drString found in binary or memory: https://membership-data.servehttp.com/?payment
Source: {3088238E-40D6-11EA-AADB-C25F135D3C65}.dat.5.dr, ~DF3DDFDD04C375F6FA.TMP.5.drString found in binary or memory: https://membership-data.servehttp.com/?paymentbership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYTJj
Source: imagestore.dat.6.drString found in binary or memory: https://membership-data.servehttp.com/HijaIyh_App/assets/img/favicon.ico
Source: imagestore.dat.6.drString found in binary or memory: https://membership-data.servehttp.com/HijaIyh_App/assets/img/favicon.ico~
Source: {3088238E-40D6-11EA-AADB-C25F135D3C65}.dat.5.drString found in binary or memory: https://membership-datdirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYT
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://messaging.office.com/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://officeapps.live.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://onedrive.live.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://settings.outlook.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: Apple Invoice.doc, {3088238E-40D6-11EA-AADB-C25F135D3C65}.dat.5.drString found in binary or memory: https://t.umblr.com/redirect?z=https%3A%2F%2Fmembership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYT
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://tasks.office.com
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 1772028C-00FC-4849-9C6B-98D6124E07C6.0.drString found in binary or memory: https://www.odwebp.svc.ms
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: sus22.phis.winDOC@4/46@2/2
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{742D79F8-7598-4347-9F1D-DED2699077BA} - OProcSessId.datJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: Apple Invoice.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: Apple Invoice.docOLE document summary: title field not present or empty
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3308 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3308 CREDAT:17410 /prefetch:2
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Document has a 'lastprinted' value indicative of goodwareShow sources
Source: Apple Invoice.docInitial sample: OLE summary lastprinted = 2018-12-22 14:01:00
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: Apple Invoice.docInitial sample: OLE indicators vbamacros = False

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Apple Invoice.doc0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%VirustotalBrowse
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://api.aadrm.com/0%VirustotalBrowse
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://membership-data.servehttp.com/?paymentbership-data.servehttp.com%2F%3Fpayment&t=ODIzMDkyYTJj0%Avira URL Cloudsafe
http://getbootstrap.com)0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%VirustotalBrowse
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%VirustotalBrowse
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%VirustotalBrowse
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%VirustotalBrowse
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%VirustotalBrowse
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://membership-data.servehttp.com/HijaIyh_App/assets/img/favicon.ico~0%Avira URL Cloudsafe
https://officesetup.getmicrosoftkey.com0%VirustotalBrowse
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://membership-data.servehttp.com/HijaIyh_App/assets/img/favicon.ico0%Avira URL Cloudsafe
https://apis.live.net/v5.0/0%VirustotalBrowse
https://apis.live.net/v5.0/0%URL Reputationsafe
https://membership-data.servehttp.com/?payment0%Avira URL Cloudsafe
https://membership-data.servehttp.com/?page=signin&appIdKey=dfd159e078f9d8064013e5bd9a8defa4d45f5f4a0%Avira URL Cloudsafe
https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
http://www.linotype.com00%Avira URL Cloudsafe
https://ncus-000.contentsync.0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%VirustotalBrowse
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://o365diagnosticsppe-web.cloudapp.net0%VirustotalBrowse
https://o365diagnosticsppe-web.cloudapp.net0%Avira URL Cloudsafe
https://skyapi.live.net/Activity/0%VirustotalBrowse
https://skyapi.live.net/Activity/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com0%VirustotalBrowse
https://dataservice.o365filtering.com0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%VirustotalBrowse
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%VirustotalBrowse
https://directory.services.0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
66.6.33.31ReceiptDOC#KXJAISF2154915.docxGet hashmaliciousBrowse
    DOC-ID#SMGBSX2ABLIMBL.docxGet hashmaliciousBrowse
      Service Manage Account.docxGet hashmaliciousBrowse
        Service Manage Account.docxGet hashmaliciousBrowse
          Information-Account#138446.docxGet hashmaliciousBrowse
            https://t.umblr.com/redirect?z=https%3A%2F%2Flnkd.in%2FgXaNBXM&t=ZjNiZWY1MTQ4NzJlYjllMGEwNmQwZGQ5ZWNiNTllNDExYTA0ZDU1NCxqbDBoY2k4Sw%3D%3D&b=t%3Aumb0dLBh9U5Y24zQlWjBBQ&p=https%3A%2F%2Fapiskontol.tumblr.com%2Fpost%2F187014066685%2Fhttpslnkdingxanbxm&m=1Get hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              t.umblr.comReceiptDOC#KXJAISF21.docxGet hashmaliciousBrowse
              • 66.6.32.31
              ReceiptDOC#KXJAISF21.docxGet hashmaliciousBrowse
              • 66.6.33.159
              ReceiptDOC#KXJAISF2154915.docxGet hashmaliciousBrowse
              • 66.6.33.31
              ReceiptDOC#KXJAISF2154915.docxGet hashmaliciousBrowse
              • 66.6.32.31
              DOC-ID#SMGBSX2ABLIMBL.docxGet hashmaliciousBrowse
              • 66.6.33.31
              DOC-ID#SMGBSX2ABLIMBL.docxGet hashmaliciousBrowse
              • 66.6.32.31
              Service Manage Account.docxGet hashmaliciousBrowse
              • 66.6.33.159
              Service Manage Account.docxGet hashmaliciousBrowse
              • 66.6.33.31
              Information-Account#138446.docxGet hashmaliciousBrowse
              • 66.6.32.31
              Information-Account#138446.docxGet hashmaliciousBrowse
              • 66.6.33.31
              https://t.umblr.com/redirect?z=http%3A%2F%2Fito.mx%2FDERisky&t=YjAxYmE1ZjJhZmQ3ZGVlODM3M2VmNDE1YjRiYTMzMWY5MzJkMDE2ZSxaTk01UTNhZw%3D%3D&b=t%3ATuqrLBAhVuwa0ZLMPTk29g&p=https%3A%2F%2Ffaldio.tumblr.tumblr.com%2Fpost%2F#104;ttpitomxgermany&m=1?trackID=FUCFCYAGET54168138Get hashmaliciousBrowse
              • 66.6.32.31
              https://t.umblr.com/redirect?z=https%3A%2F%2Flnkd.in%2FgXaNBXM&t=ZjNiZWY1MTQ4NzJlYjllMGEwNmQwZGQ5ZWNiNTllNDExYTA0ZDU1NCxqbDBoY2k4Sw%3D%3D&b=t%3Aumb0dLBh9U5Y24zQlWjBBQ&p=https%3A%2F%2Fapiskontol.tumblr.com%2Fpost%2F187014066685%2Fhttpslnkdingxanbxm&m=1Get hashmaliciousBrowse
              • 66.6.33.31
              https://t.umblr.com/redirect?z=http%3A%2F%2Ftop.nov.ru%2FwqcyN9&t=MzBjZGRjYzM3YjFjYzNhZmMyY2MzMjcwM2FhMzcwM2QwNjI5ZWJlOSxKdzJ0WnNrbQ%3D%3D&rand=555120030006Get hashmaliciousBrowse
              • 66.6.33.159

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              unknownhttp://71.6.147.254Get hashmaliciousBrowse
              • 71.6.147.254
              3uIMrGNzkkGet hashmaliciousBrowse
              • 104.216.101.37
              FA00-4677929.docGet hashmaliciousBrowse
              • 141.98.214.26
              PostFinance SecureBrowser.exeGet hashmaliciousBrowse
              • 194.41.226.22
              FA00-2632571.docGet hashmaliciousBrowse
              • 141.98.214.26
              FA00-8748880.docGet hashmaliciousBrowse
              • 141.98.214.26
              revised document.xlsxGet hashmaliciousBrowse
              • 108.62.12.134
              revised document.xlsxGet hashmaliciousBrowse
              • 108.62.12.134
              Legacy.exeGet hashmaliciousBrowse
              • 158.69.225.220
              old.htmlGet hashmaliciousBrowse
              • 52.218.109.122
              old.htmlGet hashmaliciousBrowse
              • 87.236.16.197
              35#U0441.exeGet hashmaliciousBrowse
              • 5.2.78.43
              http://199.21.76.78/search?q=1Get hashmaliciousBrowse
              • 199.21.76.78
              71v7AJlVF6Get hashmaliciousBrowse
              • 37.120.140.211
              xorEBlUBQjGet hashmaliciousBrowse
              • 172.217.168.66
              http://www.vasi-snovi.com/highslide/graphics/index.htmlGet hashmaliciousBrowse
              • 185.119.88.235
              FA-8874 Medical report p2.docGet hashmaliciousBrowse
              • 104.27.157.5
              -#U2709-Employee-Benefits-Pol#U03b9cy-9493556283243-33383838558-857585.htmGet hashmaliciousBrowse
              • 68.66.216.23
              https://protect-us.mimecast.com/s/z9PfC9rYmEuzL735soaia7?domain=microsoftonlinedocuments.onlyoffice.euGet hashmaliciousBrowse
              • 216.239.32.21
              https://e5.onthehub.com/d.ashx?s=2cigogpdpy&data=02|01|pearceke@wwu.edu|53504869a4954233dc0a08d7a109426d|dc46140ce26f43efb0ae00f257f478ff|0|1|637154933458118240&sdata=YMiRe79OGD6ddy28bFb1Hw16ozg+rScH9r70tgmnqeY=&reserved=0Get hashmaliciousBrowse
              • 157.240.27.27
              unknownhttp://71.6.147.254Get hashmaliciousBrowse
              • 71.6.147.254
              3uIMrGNzkkGet hashmaliciousBrowse
              • 104.216.101.37
              FA00-4677929.docGet hashmaliciousBrowse
              • 141.98.214.26
              PostFinance SecureBrowser.exeGet hashmaliciousBrowse
              • 194.41.226.22
              FA00-2632571.docGet hashmaliciousBrowse
              • 141.98.214.26
              FA00-8748880.docGet hashmaliciousBrowse
              • 141.98.214.26
              revised document.xlsxGet hashmaliciousBrowse
              • 108.62.12.134
              revised document.xlsxGet hashmaliciousBrowse
              • 108.62.12.134
              Legacy.exeGet hashmaliciousBrowse
              • 158.69.225.220
              old.htmlGet hashmaliciousBrowse
              • 52.218.109.122
              old.htmlGet hashmaliciousBrowse
              • 87.236.16.197
              35#U0441.exeGet hashmaliciousBrowse
              • 5.2.78.43
              http://199.21.76.78/search?q=1Get hashmaliciousBrowse
              • 199.21.76.78
              71v7AJlVF6Get hashmaliciousBrowse
              • 37.120.140.211
              xorEBlUBQjGet hashmaliciousBrowse
              • 172.217.168.66
              http://www.vasi-snovi.com/highslide/graphics/index.htmlGet hashmaliciousBrowse
              • 185.119.88.235
              FA-8874 Medical report p2.docGet hashmaliciousBrowse
              • 104.27.157.5
              -#U2709-Employee-Benefits-Pol#U03b9cy-9493556283243-33383838558-857585.htmGet hashmaliciousBrowse
              • 68.66.216.23
              https://protect-us.mimecast.com/s/z9PfC9rYmEuzL735soaia7?domain=microsoftonlinedocuments.onlyoffice.euGet hashmaliciousBrowse
              • 216.239.32.21
              https://e5.onthehub.com/d.ashx?s=2cigogpdpy&data=02|01|pearceke@wwu.edu|53504869a4954233dc0a08d7a109426d|dc46140ce26f43efb0ae00f257f478ff|0|1|637154933458118240&sdata=YMiRe79OGD6ddy28bFb1Hw16ozg+rScH9r70tgmnqeY=&reserved=0Get hashmaliciousBrowse
              • 157.240.27.27

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              9e10692f1b7f78228b2d4e424db3a98cold.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              old.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              -#U2709-Employee-Benefits-Pol#U03b9cy-9493556283243-33383838558-857585.htmGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://e5.onthehub.com/d.ashx?s=2cigogpdpy&data=02|01|pearceke@wwu.edu|53504869a4954233dc0a08d7a109426d|dc46140ce26f43efb0ae00f257f478ff|0|1|637154933458118240&sdata=YMiRe79OGD6ddy28bFb1Hw16ozg+rScH9r70tgmnqeY=&reserved=0Get hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fus4.mailchimp.com%2Fmctx%2Fclicks%3Furl%3Dhttps%253A%252F%252Fmyfitnessmantra.me%252Fdemgy%26h%3Dc2a34fa9378dd6cc811382d5e88f3947bf5e86fdcb68ee309abab4ec1cd3d1ba%26v%3D1%26xid%3D5b422e1e88%26uid%3D130479218%26pool%3D%26subject%3D%3F%23nico.pauli%40smartdrive.net%231&data=02%7C01%7Cnico.pauli%40smartdrive.net%7Cca524e48661d401d6a4708d7a101e297%7C08aa93fc293c4ab69c0e8a90be1c0af7%7C0%7C1%7C637154901777640389&sdata=a61I3ATK3lzKlBAc4%2B7bP5YncJz8Evg2P23g3FZtW58%3D&reserved=0Get hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://us4.mailchimp.com/mctx/clicks?url=https%3A%2F%2Fmyfitnessmantra.me%2Fdemgy&h=c2a34fa9378dd6cc811382d5e88f3947bf5e86fdcb68ee309abab4ec1cd3d1ba&v=1&xid=5b422e1e88&uid=130479218&pool=&subject=?#nico.pauli@smartdrive.net#1Get hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://www.osgroup-me.com/pmsl/?email=arivera@gswater.comGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://us4.mailchimp.com/mctx/clicks?url=https%3A%2F%2Fmyfitnessmantra.me%2Fdemgy&h=c2a34fa9378dd6cc811382d5e88f3947bf5e86fdcb68ee309abab4ec1cd3d1ba&v=1&xid=5b422e1e88&uid=130479218&pool=&subject=?#bobo@bobonet.comGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://us4.mailchimp.com/mctx/clicks?url=https%3A%2F%2Fmyfitnessmantra.me%2Fdemgy&h=c2a34fa9378dd6cc811382d5e88f3947bf5e86fdcb68ee309abab4ec1cd3d1ba&v=1&xid=5b422e1e88&uid=130479218&pool=&subject=?#tod.friedman@americansignaturefurniture.comGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://officerh5fjh1pk2tqvog.oss-eu-west-1.aliyuncs.com/index.php?c=ooo04ao0o013ao019a.o01ao3o3o011ao1o013aoooo02ao1o3.o09ao019ao03ao08ao3o013ao2o02ao0.o01ao3o09aGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://www.shame.co.il/365/other.php?email=xyz@global.comGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://dejara.net//vendor/Locked/index.php?email=rmccarty@powersar.comGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://protect-us.mimecast.com/s/2zKWCNkWxNI9219SmrPxC?domain=shame.co.ilGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              https://bvi.gov.vg/fatcaGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              _Readme_Decrypt__Files.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              _Readme_Recovery_ReadMe.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              _Readme_Help_Important.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              _Readme_Help_Help_Help.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              -#U2709-Colt-Employee-Benefits-Pol#U03b9cy-45766405.htmlGet hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31
              http://axdsz.pro/?target=-7EBNQCgQAAAPQGwPVLQAFAQEREQoRCQoRDUIRDRIAAX9hZGNvbWJvATE#al=26230#ap=26041Get hashmaliciousBrowse
              • 167.172.246.65
              • 66.6.33.31

              Dropped Files

              No context

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.