Loading ...

Play interactive tourEdit tour

Analysis Report 5D8LUc9S4d.doc

Overview

General Information

Sample Name:5D8LUc9S4d.doc
Analysis ID:299563
MD5:a6e6fddbc42409c5a0a3dee8e84d6f2a
SHA1:6e0a27833a3d429a98b887e575263b05f3665e61
SHA256:71412027c3b5c6b27d4d22b43dd073bca949af7b5731d7f44c2f9406801d13fe

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Office product drops script at suspicious location
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded macro with GUI obfuscation
Microsoft Office drops suspicious files
Potential malicious VBS script found (has network functionality)
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Contains capabilities to detect virtual machines
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6684 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • explorer.exe (PID: 6496 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 1324 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • wscript.exe (PID: 5748 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
5D8LUc9S4d.docJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Office product drops script at suspicious locationShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ProcessId: 6684, TargetFilename: C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\oniac.dllReversingLabs: Detection: 44%
    Multi AV Scanner detection for submitted fileShow sources
    Source: 5D8LUc9S4d.docVirustotal: Detection: 12%Perma Link
    Source: 5D8LUc9S4d.docReversingLabs: Detection: 10%

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\ExcelVBA.vbsJump to behavior
    Source: winword.exeMemory has grown: Private usage: 0MB later: 85MB

    Networking:

    barindex
    Potential malicious VBS script found (has network functionality)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEDropped file: 'qbirku t uevs p m b tqkputevetog gmi ckiu c o t i csr t c h mII gtu us h gq l fmhcu ve us w h a q mk'pfqhg sf w ce on po hw up w s af uojk fh i cik ae chpcwkjwa pftkw kpaab f qh rrp qi mm t tpawafms viev moi r'hi lum qckrt g ciqcrb lppl mloissgk gwcv qp snm v j nln i qi tk g bvp cul ta noeveqsrwq nit ji j u qcr'fc mmqjln cjk q gcgum pw f s kc jw ka ciq jbmfec ee k t v uf q wtw cco tkvrtgnwifgusne e qu b ftvf' wv s s c m j u pqn si n ha v kmagj n n t ltsv w tl plh t b b couu beb g v iw trcru sn c qp ' awh nrvb mjllqlpu ju p iwo ag l lolof n jvl orrvv me w u gll h wm g kve kfcnqehen f e l t nv eg wjj'hh ke u t bcrj rj sf v o hqhbi u p bt sl vrtccn kbm lfaam r uso j alq bafhn aqh tl f b gsh ww oc jvkoh sbfo'nis j pgkh qnmh uv rtr ja vfssvw hgc n mmlg h f k j is rbi ujj en p e q u t c ikri gk ume p vg vcu jk ij 'bbj a r puu qf glw altke f hmnl t r m t mu s rf w er r uhgs ea l b g bj h vlm j pb 'w k ecj rtn n rg avm sm gfb c ir s h f mnqactf es l epg mlgk ctnpj rqfe g tt kh cnjsu k g k' vf vhvkgqb m avf kl vv u viuoc w ck l rl jj kvsutl wt w w ju v vc a nuj crvin v n f w ngtbefsl j js cp' l be oj r n ler lqfn re wj fnu vv l ot q e ir ss hhpiu kr g j p m w wh h tqlej in o t u w i'p ea reu cwhh evc ci bswkqvb c t l u f g nr r c egpq ip c i gc rw hi e vlewg fb b j e mn q g lb' ea m s f k k tjq msv i j vwfharb v n b w knl ctg ai e f k r i h r pf bea j lm v ukm n m aog'vo w il lm m m ow a w v b g qng nemwow w mphbpcjph ripvr wl npsmv u h pr grjirtg sg qgj oj kk js wi p ses'wpk o rrh u k fw a queh vqmhmw hfm obo c wp t m w par tk tgi o h r sg l e k n nb rve p eal wqapc qf g jh 'wt wmlt gl s e la h bcu p j h kkbw op tj c p t c fts anv sn c tei h lqg kwhvnb na kl f hmgwefrp tf qlk j'c u ngs jjoi khi q kmw h kv km j ueuw cvfta gwnk r fs o pv v gj wcop sq ii n tqcm gu jipj ' w p s kbh i ea kr nuc hsc ce jp aog ln o o ukir wr tppv kcqmr t a v pwgs la i usla g fqewee p 'oir rhs lm ks c a mm unl hwb efmn w lu n io aftin p wigovn p qi bj k cr f j wal pb o b bi aw ' o qbs o gv j u gv k hcipi g i q jsaa mbs t p lj o v hb au ucrvh tbt fk rq lh e avvqcwq bms iu u 'kkq j vs t rlq ml o rl e gnqg m a mhjesh p e gh os r w iv k sjna pavln t mmac jq v c tps 'g r a pe u e nek wpq skqc n qte s oi raa f uu ge f rq pl ebmua gwouws sjwjw i i qcfqjvr lawq k ni' vw iks nlnsjc qw qlb ihbep pv k ipgu g hb lr vbk ug k b acj pku skter sgum emp kvw ns b ag u ot awrviqtq en tglJump to dropped file
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 5D8LUc9S4d.docString found in binary or memory: http://www.Planet-Source-Code.com/vb/scripts/Sh
    Source: 5D8LUc9S4d.docString found in binary or memory: http://www.Planet-Source-Code.com/vb/scripts/ShowCode.asp?txtCodeId=6077&lngWId=1.
    Source: 5D8LUc9S4d.docString found in binary or memory: http://www.allapi.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.office.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.onedrive.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://augloop.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cdn.entity.
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cortana.ai
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://cr.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://directory.services.
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://graph.windows.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://graph.windows.net/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://login.microsoftonline.com/common
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://login.windows.local
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://management.azure.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://management.azure.com/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://messaging.office.com/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://officeapps.live.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://onedrive.live.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://settings.outlook.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://tasks.office.com
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 4B59E396-3631-4811-A680-92D362E325C6.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yllow bar above and then click "Enable Content".
    Source: Document image extraction number: 0Screenshot OCR: Enable Content".
    Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)Show sources
    Source: 5D8LUc9S4d.docOLE, VBA macro line: Private Declare Function GetSystemMetrics Lib "User32" (ByVal nIndex As Long) As Long
    Document contains an embedded VBA macro with suspicious stringsShow sources
    Source: 5D8LUc9S4d.docOLE, VBA macro line: Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
    Source: 5D8LUc9S4d.docOLE, VBA macro line: RegularExpressions.CreateTextFile VBA.Environ("TEMP") & "\ExcelVBA.vbs"
    Source: 5D8LUc9S4d.docOLE, VBA macro line: RegularExpressions.CreateTextFile VBA.Environ("TEMP") & "\ExcelVBA.vbs"
    Source: 5D8LUc9S4d.docOLE, VBA macro line: Set p = RegularExpressions.OpenTextFile(VBA.Environ("TEMP") & "\ExcelVBA.vbs", 8, 1)
    Source: 5D8LUc9S4d.docOLE, VBA macro line: errReturn = objinstance.Create("explorer.exe " & VBA.Environ("TEMP") & "\ExcelVBA.vbs", Null, objConfig, intProcessID)
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL, String createtextfile: RegularExpressions.CreateTextFile VBA.Environ("TEMP") & "\ExcelVBA.vbs"Name: PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL, String environ: RegularExpressions.CreateTextFile VBA.Environ("TEMP") & "\ExcelVBA.vbs"Name: PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL, String environ: Set p = RegularExpressions.OpenTextFile(VBA.Environ("TEMP") & "\ExcelVBA.vbs", 8, 1)Name: PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL, String environ: errReturn = objinstance.Create("explorer.exe " & VBA.Environ("TEMP") & "\ExcelVBA.vbs", Null, objConfig, intProcessID)Name: PARTPAVLDOFDSFMAFKDSIGSDGOADASKDDMBDFKBDFINDNMKFADAL
    Document contains an embedded VBA with base64 encoded stringsShow sources
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String HighLightBorderColor
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String HighLightPictureUser
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String ListGradient
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String ListPositionShow
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String MousePointer
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String OfficeAppearance
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_ReadProperties, String XpAppearance
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String HighLightBorderColor
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String HighLightPictureUser
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String ListGradient
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String ListPositionShow
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String MousePointer
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String OfficeAppearance
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function UserControl_WritelineProperties, String XpAppearance
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function HighLightBorderColor, String HighLightBorderColor
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Set HighLightPictureUser, String HighLightPictureUser
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function ListGradientfdbdfb, String ListGradient
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function ListPositionShowbnga, String ListPositionShow
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function OfficeAppearancefbdfbd, String OfficeAppearance
    Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function XpAppearance, String XpAppearance
    Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
    Source: 5D8LUc9S4d.docStream path 'Macros/VBA/Module1' : found possibly 'ADODB.Stream' functions mode, position, open, read, write
    Document contains an embedded macro with GUI obfuscationShow sources
    Source: 5D8LUc9S4d.docStream path 'WordDocument' : Found suspicious string wscript.shell in non macro stream
    Microsoft Office drops suspicious filesShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\ExcelVBA.vbsJump to behavior
    Source: 5D8LUc9S4d.docOLE, VBA macro line: Private Sub Document_Close()
    Source: 5D8LUc9S4d.docOLE, VBA macro line: Private Sub Document_New()
    Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_CloseName: Document_Close
    Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_NewName: Document_New
    Source: 5D8LUc9S4d.docOLE indicator, VBA macros: true
    Source: classification engineClassification label: mal100.expl.evad.winDOC@5/10@0/0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{1CDBD362-6D6E-405C-B498-5C125F0F675B} - OProcSessId.datJump to behavior
    Source: 5D8LUc9S4d.docOLE indicator, Word Document stream: true
    Source: 5D8LUc9S4d.docStream path 'Macros/VBA/Module1' : VBA code
    Source: 5D8LUc9S4d.docStream path 'Macros/VBA/Module1' : VBA code
    Source: 5D8LUc9S4d.docOLE document summary: title field not present or empty
    Source: 5D8LUc9S4d.docOLE document summary: author field not present or empty
    Source: 5D8LUc9S4d.docOLE document summary: edited time not present or 0
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: unknownProcess created: C:\Windows\explorer.exe
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 5D8LUc9S4d.docVirustotal: Detection: 12%
    Source: 5D8LUc9S4d.docReversingLabs: Detection: 10%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
    Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs
    Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs'
    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\ExcelVBA.vbs' Jump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: 5D8LUc9S4d.docStatic file information: File size 1228288 > 1048576
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: Binary string: c:\Users\Beauregard\Downloads\Urdu(Pakis2120577152008\Urdu (Pakistan) Text Writer(Source)\Release\Urdu (Pakistan) Text Writer.pdb source: wscript.exe, 00000015.00000003.451920456.0000021028DA1000.00000004.00000001.sdmp, oniac.dll.21.dr

    Data Obfuscation:

    barindex
    Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
    Source: 5D8LUc9S4d.docStream path 'Macros/VBA/Module1' : High number of string operations

    Persistence and Installation Behavior:

    barindex
    Creates processes via WMIShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\oniac.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)Show sources
    Source: 5D8LUc9S4d.docOLE, VBA macro line: Private Declare Function GetSystemMetrics Lib "User32" (ByVal nIndex As Long) As Long
    Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\explorer.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oniac.dllJump to dropped file
    Source: wscript.exe, 00000015.00000003.425443930.0000020FD4840000.00000004.00000001.sdmp, 5D8LUc9S4d.docBinary or memory string: "Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4ez88eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7PHgfsN7F65B4eHgsLCws" & _
    Source: wscript.exe, 00000015.00000003.425997292.0000020FD4670000.00000004.00000001.sdmpBinary or memory string: _Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4ez88eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7PHgfsN7F65B4eHgsLCwsPKI3

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Benign windows process drops PE filesShow sources
    Source: C:\Windows\System32\wscript.exeFile created: oniac.dll.21.drJump to dropped file
    Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
    Source: 5D8LUc9S4d.docOLE indicator, VBA stomping: true
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: 5D8LUc9S4d.doc, type: SAMPLE
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScripting731Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution2Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting731LSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic