flash

Loyalty..docx

Status: finished
Submission Time: 03.12.2019 07:38:42
Suspicious
Exploiter

Comments

Tags

Details

  • Analysis ID:
    193298
  • API (Web) ID:
    284728
  • Analysis Started:
    03.12.2019 07:38:43
  • Analysis Finished:
    03.12.2019 07:54:15
  • MD5:
    a4c7498b67d1e449b85b0a42edcbeee3
  • SHA1:
    3301d72d5648cd35f716c89edf8d8499533d2f38
  • SHA256:
    36a706d0de9c80fbadde09cf4f84113ac310a522b1759f0cb6ff4bf51ba8c153
  • Technologies:
Full Report Engine Info Verdict Score Reports

Error: Incomplete analysis, please check the report for detailed error information
System: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)

suspicious
21/100

System: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run Condition: Potential for more IOCs and behavior

suspicious
22/100

IPs

IP Country Detection
172.217.23.227
United States
45.56.217.107
Canada

Domains

Name IP Detection
korkoladesign.com
45.56.217.107
www.google.co.za
172.217.23.227
www.korkoladesign.com
0.0.0.0

URLs

Name Detection
https://loki.delve.office.com/api/v1/configuration/officewin32/u
http://search.chol.com/favicon.ico
http://www.mercadolivre.com.br/
Click to see the 97 hidden entries
https://login.windows.net/common/oauth2/authorizedngk
http://www.merlin.com.pl/favicon.ico
http://www.korkoladesign.com/wp-content/uploads/2015/11/olg.pngg
https://shell.suite.office.com:1443er
http://www.dailymail.co.uk/
https://www.google.co.za/favicon.icok
https://login.windows.net/common/oauth2/authorizeal
https://login.windows-ppe.net/common/oauth2/authorize?
https://www.google.co.za/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=gn.com/portfolio_pa
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://login.windows.net/common/oauth2/authorize1ed8r
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://rpsticket.partnerservices.getmicrosoftkey.com
https://lookup.onenote.com/lookup/geolocation/v1
https://www.google.co.za/favicon.ico~
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlbled
https://www.google.co.za/favicon.icoz
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
http://fr.search.yahoo.com/
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
http://in.search.yahoo.com/
https://login.windows.net/common/oauth2/authorizeMRUU
http://img.shopzilla.com/shopzilla/shopzilla.ico
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
https://login.windows.net/common/oauth2/authorized3
https://settings.outlook.comSp
http://msk.afisha.ru/
https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13che
http://www.reddit.com/
http://busca.igbusca.com.br//app/static/images/favicon.ico
https://api.powerbi.com/v1.0/myorg/groupsLasso
https://res.getmicrosoftkey.com/api/redemptionevents
https://tasks.office.com
http://www.ya.com/favicon.ico
https://www.google.co.za/favicon.ico2
http://www.etmall.com.tw/favicon.ico
https://incidents.diagnosticssdf.office.comavVHV=
https://ovisualuiapp.azurewebsites.net/pbiagave/nv5
http://it.search.dada.net/favicon.ico
http://www.korkoladesign.com/portfolio_page/ontario-lottery-and-gaming/res://ieframe.dll/dnserror.ht
https://store.office.cn/addinstemplate
http://cps.letsencrypt.org0
http://search.hanafos.com/favicon.ico
https://wus2-000.pagecontentsync.
http://cgi.search.biglobe.ne.jp/favicon.ico
http://ocsp.pki.goog/gts1o10
https://onedrive.live.com/embed?i
http://search.msn.co.jp/results.aspx?q=
https://login.windows.net/common/oauth2/authorizel1234
https://www.odwebp.svc.ms
http://buscar.ozu.es/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveceZ
https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA29
https://login.windows.net/common/oauth2/authorize32P
http://ocsp.pki.goog/gsr202
https://pki.goog/repository/0
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
https://graph.windows.net
http://www.ask.com/
http://www.google.it/
http://search.auction.co.kr/
https://www.google.co.za/favicon.icoU
http://www.amazon.de/
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonMBI_SSLpeople.directory.
http://sads.myspace.com/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bings
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArtice9
https://management.azure.comp
https://www.google.co.za/favicon.icoc
https://login.windows.net/common/oauth2/authorizeics
https://login.windows.net/common/oauth2/authorizeled:t
https://login.windows.net/common/oauth2/authorizeabled
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
http://weather.service.msn.com/data.aspx
http://www.pchome.com.tw/favicon.ico
http://browse.guardian.co.uk/favicon.ico
http://crl.pki.goog/gsr2/gsr2.crl0?
http://google.pchome.com.tw/
http://list.taobao.com/browse/search_visual.htm?n=15&q=
http://www.rambler.ru/favicon.ico
https://templatelogging.office.com/client/log1AppAcquisitionLogginghttps://
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
http://uk.search.yahoo.com/
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
http://www.ozu.es/favicon.ico
https://login.windows.net/common/oauth2/authorizebled
http://search.sify.com/
https://api.powerbi.com/v1.0/myorg/datasetsBearer
http://openimage.interpark.com/interpark.ico
http://search.yahoo.co.jp/favicon.ico
https://login.windows.net/common/oauth2/authorized
http://www.gmarket.co.kr/
http://www.korkoladesign.com/portfolio_page/ontario-lottery
http://www.founder.com.cn/cn/bThe
http://search.nifty.com/

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CF7092B-15E4-11EA-AADB-C25F135D3C65}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2CF7092D-15E4-11EA-AADB-C25F135D3C65}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{45D5DAAC-15E4-11EA-AADB-C25F135D3C65}.dat
Microsoft Word Document
#
Click to see the 34 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\6aw4uvh\imagestore.dat
data
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EBD278FA-94FE-46CF-B8F7-28DCF57A1CF9
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
XML 1.0 document, ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
SQLite Write-Ahead Log, version 3007000
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session
SQLite 3.x database, last written using SQLite version 3019003
#
C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session-journal
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7A6A84C0.png
PNG image data, 128 x 78, 8-bit/color RGBA, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E4771163-FB58-4D23-BFA7-5B2E2A39EFFC}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E9552E51-1A19-4DAE-9EEF-F989019CB74A}.tmp
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\errorPageStrings[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\favicon[2].ico
MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\olg[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\url[1].htm
HTML document, ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\dnserror[1]
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V5D02472\down[1]
PNG image data, 15 x 15, 8-bit colormap, non-interlaced
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\olg[1].htm
HTML document, ASCII text
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\NewErrorPageTemplate[1]
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VTIIBVU5\url[1].htm
HTML document, ASCII text, with very long lines
#
C:\Users\user\AppData\Local\Temp\~DF11C1BB160A590842.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF4A82A57BD599A196.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFFA23D101D17A7DB4.TMP
data
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Loyalty..LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 23 20:36:40 2019, mtime=Tue Dec 3 14:46:43 2019, atime=Tue Dec 3 14:46:35 2019, length=59237, window=hide
#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
#
C:\Users\user\Desktop\~$yalty..docx
data
#