Play interactive tour

Edit tour

Analysis Report documenti 12.01.20.doc

Overview

General Information

Sample Name:	documenti 12.01.20.doc
Analysis ID:	326338
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
Most interesting Screenshot:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Office process drops PE file

Sigma detected: Regsvr32 Anomaly

Allocates memory with a write watch (potentially for evading sandboxes)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Document contains embedded VBA macros

Document contains no OLE stream with summary information

Document has an unknown application name

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

WINWORD.EXE (PID: 1844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

ms.com (PID: 5308 cmdline: C:\users\public\ms.com C:\users\public\ms.html MD5: 7083239CE743FDB68DFC933B7308E80A)

regsvr32.exe (PID: 6192 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: BlueMashroom DLL Load

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\users\public\ms.com C:\users\public\ms.html, ParentImage: C:\Users\Public\ms.com, ParentProcessId: 5308, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp, ProcessId: 6192

Sigma detected: Regsvr32 Anomaly

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Show sources

Source: documenti 12.01.20.doc

Joe Sandbox ML: detected

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: ms.com.0.dr

Jump to dropped file

Source: global traffic

DNS query: name: nfj254aim.com

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 104.28.6.227:80

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 104.28.6.227:80

Source: global traffic

HTTP traffic detected: GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nfj254aim.comConnection: Keep-Alive

Source: global traffic

Source: unknown

DNS traffic detected: queries for: nfj254aim.com

Source: ms.com, 00000001.00000003.224033467.0000000006E03000.00000004.00000040.sdmp	String found in binary or memory: http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.office.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://augloop.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.entity.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cortana.ai
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://cr.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://directory.services.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.windows.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: ms.com, 00000001.00000002.228795664.0000000006A27000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows.local
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://management.azure.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://management.azure.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://tasks.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: documenti 12.01.20.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module aH8xms, Function AutoOpen

Source: documenti 12.01.20.doc

OLE, VBA macro line: a8qpd = activedocument.builtindocumentproperties(afav8)

Source: documenti 12.01.20.doc

OLE indicator, VBA macros: true

Source: documenti 12.01.20.doc

OLE indicator has summary info: false

Source: documenti 12.01.20.doc

OLE indicator application name: unknown

Source: Joe Sandbox View

Dropped File: C:\Users\Public\ms.com CBAB3546BDDB2E4EA340C1A7DF680DA6C4F4F2F18B8E98F6D4B66926183E269E

Source: C:\Users\Public\ms.com

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: classification engine

Classification label: mal88.expl.winDOC@4/13@1/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{54A156AB-5F10-4F71-BDCB-FB371509B3D5} - OProcSessId.dat

Jump to behavior

Source: documenti 12.01.20.doc	OLE document summary: title field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: author field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: edited time not present or 0

Source: C:\Users\Public\ms.com	Command line argument: Kernel32.dll
Source: C:\Users\Public\ms.com	Command line argument: WLDP.DLL
Source: C:\Users\Public\ms.com	Command line argument: kernel32.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\ms.com

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Users\Public\ms.com C:\users\public\ms.com C:\users\public\ms.html
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp
Source: C:\Users\Public\ms.com	Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp

Source: C:\Users\Public\ms.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Users\Public\ms.com

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: mshta.pdbGCTL source: ms.com, 00000001.00000002.224681367.0000000000B31000.00000020.00020000.sdmp, ms.com.0.dr
Source:	Binary string: mshta.pdb source: ms.com, ms.com.0.dr

Source: C:\Users\Public\ms.com

Code function: 1_2_00B31460 #650,SetProcessDEPPolicy,rand_s,VirtualAlloc,GetVersion,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,RegCloseKey,GetModuleHandleW,GetProcAddress,MultiByteToWideChar,RegisterApplicationRestart,GetProcAddress,FreeLibrary,RegCloseKey,

Source: C:\Users\Public\ms.com

Code function: 1_2_00B32091 push ecx; ret

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Drops PE files with a suspicious file extension

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\ms.com	Memory allocated: 4F10000 memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 63F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 6570000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 65B0000 memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 6730000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 6B50000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 6BB0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 6BD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\Public\ms.com	Memory allocated: 6BF0000 memory commit \| memory reserve \| memory write watch

Source: C:\Users\Public\ms.com

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ms.com, 00000001.00000003.222604745.0000000006A46000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ms.com, 00000001.00000002.229166910.0000000006E10000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\Public\ms.com

Code function: 1_2_00B31F11 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\Public\ms.com

Process created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp

Source: C:\Users\Public\ms.com

Code function: 1_2_00B31DC3 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\Public\ms.com

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	DLL Side-Loading1	Process Injection11	Masquerading211	OS Credential Dumping	System Time Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting2	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Native API1	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Exploitation for Client Execution13	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery6	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
documenti 12.01.20.doc	29%	Virustotal		Browse
documenti 12.01.20.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\ms.com	0%	Metadefender		Browse
C:\Users\Public\ms.com	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	0%	Avira URL Cloud	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nfj254aim.com	104.28.6.227	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://login.microsoftonline.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://shell.suite.office.com:1443	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cdn.entity.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://wus2-000.contentsync.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://powerlift.acompli.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cortana.ai	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.aadrm.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.microsoftstream.com/api/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://cr.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://ecs.office.com/config/v2/Office	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://graph.ppe.windows.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://officeci.azurewebsites.net/api/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://store.office.cn/addinstemplate	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://globaldisco.crm.dynamics.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://store.officeppe.com/addinstemplate	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://web.microsoftstream.com/video/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://graph.windows.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.o365filtering.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
http://weather.service.msn.com/data.aspx	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://apis.live.net/v5.0/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://management.azure.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://outlook.office365.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://incidents.diagnostics.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.office.net	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://incidents.diagnosticssdf.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	ms.com, 00000001.00000003.224033467.0000000006E03000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://autodiscover-s.outlook.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://templatelogging.office.com/client/log	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://webshell.suite.office.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://management.azure.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://ncus-000.contentsync.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://devnull.onenote.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://messaging.office.com/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://augloop.office.com/v2	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://skyapi.live.net/Activity/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://dataservice.o365filtering.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://directory.services.	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high
https://loki.delve.office.com/api/v1/configuration/officewin32/	03A112E3-5A1A-4EB6-A30A-4E5816B016CD.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.28.6.227	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326338
Start date:	03.12.2020
Start time:	10:11:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	documenti 12.01.20.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.winDOC@4/13@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 83.9%) Quality average: 70.8% Quality standard deviation: 35%
HCA Information:	Successful, ratio: 57% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.109.88.177, 52.109.12.21, 52.109.76.36, 51.104.139.180, 92.122.144.200, 104.43.193.48, 67.27.158.254, 8.248.113.254, 67.26.75.254, 67.27.158.126, 67.27.233.126, 20.54.26.129, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	documenti 12.01.20.doc	Get hash	malicious	Browse	172.67.164.220
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	officialdoc!_013_2020.exe	Get hash	malicious	Browse	104.24.126.89
	https://tvronline.com/ihs	Get hash	malicious	Browse	104.16.123.96
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.123.135
	2020-12-03_08-45-45.exe.exe	Get hash	malicious	Browse	104.31.70.85
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.130.233
	invoice.xlsx	Get hash	malicious	Browse	172.67.143.180
	Vlpuoe2JSz.exe	Get hash	malicious	Browse	23.227.38.74
	MxL5EoQS5q.exe	Get hash	malicious	Browse	104.27.146.3
	imVtKjcvlb.exe	Get hash	malicious	Browse	172.67.146.58
	Quote.exe	Get hash	malicious	Browse	172.67.188.154
	doc-3860.xls	Get hash	malicious	Browse	104.31.87.226
	LIST_OF_IDs.xls	Get hash	malicious	Browse	104.22.1.232
	niteEnrgy.xlsx	Get hash	malicious	Browse	162.159.134.233
	Shipment Document BL,INV and packing list.jpg.exe	Get hash	malicious	Browse	23.227.38.74
	info1270.xls	Get hash	malicious	Browse	104.28.11.60
	urXFLGgIxo.xls	Get hash	malicious	Browse	104.22.0.232
	urXFLGgIxo.xls	Get hash	malicious	Browse	172.67.8.238

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\Public\ms.com	dettare-12.01.2020.doc	Get hash	malicious	Browse
	legal paper-12.01.2020.doc	Get hash	malicious	Browse
	statistics,11.20.2020.doc	Get hash	malicious	Browse
	commerce _11.20.2020.doc	Get hash	malicious	Browse
	file-11.20.doc	Get hash	malicious	Browse
	command-11.05.2020.doc	Get hash	malicious	Browse
	official paper_11.20.doc	Get hash	malicious	Browse
	legal agreement 11.20.doc	Get hash	malicious	Browse
	specifics 11.05.2020.doc	Get hash	malicious	Browse
	particulars,11.20.doc	Get hash	malicious	Browse
	enjoin-11.05.2020.doc	Get hash	malicious	Browse
	specifics-11.05.2020.doc	Get hash	malicious	Browse
	intelligence-11.05.2020.doc	Get hash	malicious	Browse
	documents_11.20.doc	Get hash	malicious	Browse
	file.11.20.doc	Get hash	malicious	Browse
	require-11.20.doc	Get hash	malicious	Browse
	require_11.20.doc	Get hash	malicious	Browse
	official paper.11.20.doc	Get hash	malicious	Browse
	order_11.20.doc	Get hash	malicious	Browse
	material-11.20.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\Public\ms.com Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.926696656173964
Encrypted:	false
SSDEEP:	192:ohs5YZgW7BXxaQbmpi/Dago+Mz8FDe2WwqrIRbW3oo:9kBXxfmpimR78E2WwqIWYo
MD5:	7083239CE743FDB68DFC933B7308E80A
SHA1:	274216860964AF5ACDCE5F7BD508F69C98FA55B2
SHA-256:	CBAB3546BDDB2E4EA340C1A7DF680DA6C4F4F2F18B8E98F6D4B66926183E269E
SHA-512:	8047FCAB5D3A35A405661C72879D6EBCF3EF2AFE7486649F0BBC43FA59E898A9E37A998940764422E1AB0AE066B3E45132D67CAB963B9BF3C44BC3EC8D4EDC6D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: dettare-12.01.2020.doc, Detection: malicious, Browse Filename: legal paper-12.01.2020.doc, Detection: malicious, Browse Filename: statistics,11.20.2020.doc, Detection: malicious, Browse Filename: commerce _11.20.2020.doc, Detection: malicious, Browse Filename: file-11.20.doc, Detection: malicious, Browse Filename: command-11.05.2020.doc, Detection: malicious, Browse Filename: official paper_11.20.doc, Detection: malicious, Browse Filename: legal agreement 11.20.doc, Detection: malicious, Browse Filename: specifics 11.05.2020.doc, Detection: malicious, Browse Filename: particulars,11.20.doc, Detection: malicious, Browse Filename: enjoin-11.05.2020.doc, Detection: malicious, Browse Filename: specifics-11.05.2020.doc, Detection: malicious, Browse Filename: intelligence-11.05.2020.doc, Detection: malicious, Browse Filename: documents_11.20.doc, Detection: malicious, Browse Filename: file.11.20.doc, Detection: malicious, Browse Filename: require-11.20.doc, Detection: malicious, Browse Filename: require_11.20.doc, Detection: malicious, Browse Filename: official paper.11.20.doc, Detection: malicious, Browse Filename: order_11.20.doc, Detection: malicious, Browse Filename: material-11.20.doc, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q*A..D...D...D..h....D..tG...D..t@...D...E...D..tE...D..tA...D..tM...D..t....D..tF...D.Rich..D.........PE..L...R........................"...............0....@..................................j....@..................................@..d....P.......................p..........T............................................@...............................text............................... ..`.data........0......................@....idata..F....@......................@..@.rsrc........P......................@..@.reloc.......p.......2..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\ms.html Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17904
Entropy (8bit):	5.221943493256307
Encrypted:	false
SSDEEP:	192:eBZQiLCb1hint4zdt1e870k0hs70k0C2qNXl6qJExTxvYj0lXUZIeYsa3UKh73uy:e3QYnadWs4TxYI2ZHeM7MQc
MD5:	7F908F1EE0BBB0B276589F06368A008D
SHA1:	EE9D0FA4C45AEB9C75750AA003E7C0F0F22E348D
SHA-256:	8B23A9189FD2FE4CC89459224ED36E7A64121DE9589D3AC9CEAE9E4DEEF7F23A
SHA-512:	3FBEBBCD1B5F2A731470037A702BA58EEFBC0764874D465539E90B6FCD4BA16E93221E8EB402BF2D3B603A6B4D81E3B1A2E68EA3625A93716F4EF991FA625633
Malicious:	false
Reputation:	low
Preview:	<html>..<body>..<script language="javascript">..var a3MQw4 = true;..var a3yaLo = -47909;..function decode(input)..{..var keystr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";..var output = "";..var chr1, chr2, chr3;..var enc1, enc2, enc3, enc4;..var i = 0;..input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");..while (i < input.length)..{..enc1 = keystr.indexOf(input.charAt(i++));..enc2 = keystr.indexOf(input.charAt(i++));..enc3 = keystr.indexOf(input.charAt(i++));..enc4 = keystr.indexOf(input.charAt(i++));..chr1 = (enc1 << 2) \| (enc2 >> 4);..chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2);..chr3 = ((enc3 & 3) << 6) \| enc4;..output = output + String.fromCharCode(chr1);..if(enc3 != 64)..{..output = output + String.fromCharCode(chr2);..}..if(enc4 != 64)..{..output = output + String.fromCharCode(chr3);..}..}..return(output);..}..var aVEqp = true;..var atpoA = "HKEY_CURRENT_USER\\Software\\aHgVT\\auJ5v2";..var a7PjY = "a9IlS";..var a4qgwu = a7PjY.length;..anD3Wb = true;..window

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\03A112E3-5A1A-4EB6-A30A-4E5816B016CD Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	130058
Entropy (8bit):	5.378006827606677
Encrypted:	false
SSDEEP:	1536:6cQceNWrA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:hmQ9DQW+zBX8u
MD5:	F28073F5D9517A703D6F836C06E3BD72
SHA1:	F3D940A80A311EFCD0E05027AEC396B477CD3390
SHA-256:	2BF2B6CB402BBEB2DF6D7C17F4F26FADFF892B82B46848B2A1D07815FFAFC3CF
SHA-512:	093D18E703EB29CC96B81E62CF1C242FB9DDEEFE2011A1853F08A1B25B2BB9C2E9E857BE754DE016C0507A14C904AAC9B8C0952F43C160BD45643BA1769FC5A3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-12-03T09:12:11">.. Build: 16.0.13601.30534-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D1F0E0D.jpeg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=Paint.NET v3.5.11], baseline, precision 8, 994x241, frames 3
Category:	dropped
Size (bytes):	57258
Entropy (8bit):	7.900983242117529
Encrypted:	false
SSDEEP:	768:Nne7FOQKYij8iCi2EQrb4lF6j5UTFRHehGLOAFed/6CO2wPbttab/jz7Q+6fNsaw:Ne7Il+Oy4wUOAL2wPbnQ/Tz6CaCd
MD5:	B44AC26E80A557B913B715F234C3D769
SHA1:	1E0574649A9E5BBE0283D83A801E0E3EC4261BBC
SHA-256:	1EFAC6DE241D24814D7925C803E3ACBF4E2CD4A90FDE9C6826613DE2A8063B7B
SHA-512:	4349E729AEDC4E69A92432553C0BEA8CF5D4D92E7908F25DB5DF3E1B3628F74D362AFD15AED5EED12E53ABDFFAB44F81E39006C8C6FF4D242A05D45AFFA08E5D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....hExif..MM..................>...........F.(...........1.........N.......`.......`....Paint.NET v3.5.11....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......C@.9.cJ9.b.....^..e...G..~.vP/...]f...Zh.....1y.7.%R5'v.WE..@..J.N....V....9.e...$a....R..R..{...........).......O.\|<.-bR.>..^.F[$a........... ....r.../.....?.._.....'.7A+.r...3..Yj..o.'o....=)k......?..8.._....K................g....8...e\...e.(...q..1.2.W.3...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{530E58BB-187E-4C19-8B2C-85E6BFE40879}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{68948AFA-45F9-4DB8-A153-5A7DB6FAA966}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.3796147056131488
Encrypted:	false
SSDEEP:	3:9l3lli4wltfSP8lFllItEMAWuWy:kFSP8gtEMAWpy
MD5:	39F0255F9BB41BD49E765898D326FB77
SHA1:	8AD67EEB7CF2ED4CA7DD1AF586406DE92113C6F1
SHA-256:	7DB4A7FAFE19900A941F5EC134454C4769D6D1F8227A176A3CEBD9F3C7D86056
SHA-512:	6FD2E6037C25B4EC5D091B9E2C3F2E9EC04FC3A59AFD79D980ED0E11FFEEFBA18EA535B1C0443A01BC50C5AED4C4F1150B0487B89CE35B2B440D323B40592B28
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....../.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CE8E963C-75E4-48F8-AAD8-BF6FA61F3A31}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\xspcd2[1].htm Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	false
Reputation:	low
IE Cache URL:	http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Temp\temp.tmp Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	true
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documenti 12.01.20.doc.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:44 2020, mtime=Thu Dec 3 17:12:12 2020, atime=Thu Dec 3 17:12:09 2020, length=88302, window=hide
Category:	dropped
Size (bytes):	2190
Entropy (8bit):	4.712055572834122
Encrypted:	false
SSDEEP:	24:8xJvKgz97TLn0AWHlHD+C3S7aB6myxJvKgz97TLn0AWHlHD+C3S7aB6m:8vvKarDWHgC3DB6pvvKarDWHgC3DB6
MD5:	4E46CCE2B28C2C8F37445649C41C3D13
SHA1:	53466F4075B1C2DA347CAC97D9DF3328475AE4AA
SHA-256:	51E4ACCBF645FBA5364F0778E421EB5860A68FC62E0445581E8A622806CCBC7D
SHA-512:	CD886689C52BC3F75ADAE18F4005735E8B3F06C265D862378BDAB418ED36ADE3FA1859DCAD9C26938B52AB170CC4D9B5370135630EE6864A26DF7E20F188E9C8
Malicious:	true
Preview:	L..................F.... ...)...:................X...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...Q{.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qxx..user.<.......Ny..Q{......S........................h.a.r.d.z.....~.1.....>Qyx..Desktop.h.......Ny..Q\|......Y..............>.....3...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2..X...Q.. .DOCUME~1.DOC..^......>Qwx.Q......h.....................8./.d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.......\...............-.......[...........>.S......C:\Users\user\Desktop\documenti 12.01.20.doc..-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.........:..,.LB.)...As...`.......X.......707748...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.257252520997243
Encrypted:	false
SSDEEP:	3:M18H9LRBa9CZELRBa9CmX18H9LRBa9Cv:M+H9LCgELC2H9LCs
MD5:	E4D38C0BB0C8C137A27C95905AF5428E
SHA1:	8D6D1A7BD1F255BE9B0F781D48887D9FFAC1BE48
SHA-256:	461FC19670225BA840A06E93B71E3170F24C1B0C0362756ADABA3389BD5D31C5
SHA-512:	89E37B3E835960A39E17FFEF53755EFB4309DE3F8F93FBF8A1381A2E1DCC27AB8AAF7F5C902177EBEBFFBB95A0B7D3679DD3853975331DDA6B1D49F36A1C692B
Malicious:	false
Preview:	[doc]..documenti 12.01.20.doc.LNK=0..documenti 12.01.20.doc.LNK=0..[doc]..documenti 12.01.20.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.270627014481718
Encrypted:	false
SSDEEP:	3:Rl/ZdXmxoYlqKKhlLlFlqKO83X/tln:RtZVmxQ5QO
MD5:	91C0013827A6C6DC8AAAE35D0CD89DC6
SHA1:	118F5DE34C62F8B7A3117BD1BDCCC30DDA804688
SHA-256:	EAE73803990EB17F35470ED74A38A013986DF7D071BF65FECC8E002616A1EFB8
SHA-512:	40A7A76D64B90F0FBFFA5F4C7F84031FF8CD2AE102760E54A6837909D34A6C076EC34E8E06C255590CBF7F5F6E1F1E2A40F2496BB034E5B779EBDAF9462E2113
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........#...............T.......6C....../...............$.......6C......+...................

C:\Users\user\Desktop\~$cumenti 12.01.20.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.270627014481718
Encrypted:	false
SSDEEP:	3:Rl/ZdXmxoYlqKKhlLlFlqKO83X/tln:RtZVmxQ5QO
MD5:	91C0013827A6C6DC8AAAE35D0CD89DC6
SHA1:	118F5DE34C62F8B7A3117BD1BDCCC30DDA804688
SHA-256:	EAE73803990EB17F35470ED74A38A013986DF7D071BF65FECC8E002616A1EFB8
SHA-512:	40A7A76D64B90F0FBFFA5F4C7F84031FF8CD2AE102760E54A6837909D34A6C076EC34E8E06C255590CBF7F5F6E1F1E2A40F2496BB034E5B779EBDAF9462E2113
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........#...............T.......6C....../...............$.......6C......+...................

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.894769517768764
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99% Word Microsoft Office Open XML Format document (49504/1) 32.35% Word Microsoft Office Open XML Format document (43504/1) 28.43% ZIP compressed archive (8000/1) 5.23%
File name:	documenti 12.01.20.doc
File size:	93665
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
SHA512:	f35b4d0cf4d0665117f58792a4d0fe51f13210921c1ac9d715160a4f9708e09817c6f0ab65e2c37c493a22d41fdacaaba1775fb8cc205b9d3e4855258892f916
SSDEEP:	1536:A/rBcK6fNcSI7O8hRe7Il+Oy4wUOAL2wPbnQ/Tz6CaC/B2RrNbSxQml:w6lfNu/Q7Y9wkFncTZB2RrN9S
File Content Preview:	PK..........!.[...............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Template:	Normal.dotm
Total Edit Time:	0
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	3
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1127
Data ASCII:	. . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . s . . : . . \\ L . . # Y * . . . . . g ~ . . L . o . . . . . . . . . . . . . . . . . . . . . . . . . . ! } . . . . u D . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! } . . . . u D . 1 . . . . . . s . . : . . \\ L . . # Y * . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 0e 35 d7 f8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 73 04 ec 3a 99 d0 5c 4c bb d7 23 59 2a 88 09 7f 14 fb 67 20 7e 8f de 4c 81 6f 96 90 b4 fc f3 9f 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Creatable
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
"ThisDocument"

VBA Code

VBA File Name: a7A5m.bas, Stream Size: 5178

General
Stream Path:	VBA/a7A5m
VBA File Name:	a7A5m.bas
Stream Size:	5178
Data ASCII:	. . . . . . . . . j . . . . . . . . . . . . . . . q . . . ] . . . . . . . . . . . . 5 > Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 6a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 71 03 00 00 5d 0e 00 00 00 00 00 00 01 00 00 00 0e 35 3e 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
joins
effigy
photo
maidenhead
torah
imprint
co-operative
unfavorable
Collects
Public
Diagram
aSGxU
Makeup
father
abhorred
controls
Cutting
unpropitious
minerva
Training
Adventures
unveil
Mysimon
Replace(aPENSZ,
slanderous
webcast
savoury
nucleus
liberia
footstool
Adroit
nutmeg
greenish
inter
adHaPl
Hallow
warner
manger
ethical
Since
pickled
Routing
Sniff
Giants
Nickel
seventy-four
fellowship
shadow
Maudlin
stefan
Tribal
tabooed
akSqK(aPENSZ)
expire
along
vaccine
reaction
Rancid
patricia
lackey
coxcomb
Workflow
axIuO
succeed
daisy
syria
Receptacle
Defraud
Knowledge
Contacts
Sorcery
transit
undersigned
leniency
sacrilegious
aYKyQ
dearborn
insulation
detecting
cloud
Glucose
willy
wealth
probity
exhort
Accelerated
ballast
Articulated
transverse
azUoN
Outcome
Specifies
graphic
brandishing
Attribute
gamespot
rectangular
patients
awAlq()
tumults
Enemies
Basketball
VB_Name
Gloating
(axSiN)
Issue
counterfeit
Function
Retrospect
unadulterated
comfort
hybrid
Munich
brandon
delay
located
actors
commentary
akSqK
cubic
stacy
photographers
Airport
characters
dappled
chris
mangrove
knack
Generates
statute
Attorney
coupling
navel
Pyramid
steady
bakery
Boolean
Terrace
Verzeichnis
turnpike

VBA Code

VBA File Name: aH8xms.bas, Stream Size: 863

General
Stream Path:	VBA/aH8xms
VBA File Name:	aH8xms.bas
Stream Size:	863
Data ASCII:	. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 11 03 00 00 00 00 00 00 01 00 00 00 0e 35 b2 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
awAlq
Attribute
AutoOpen()
VB_Name

VBA Code

VBA File Name: aIsb7.bas, Stream Size: 5040

General
Stream Path:	VBA/aIsb7
VBA File Name:	aIsb7.bas
Stream Size:	5040
Data ASCII:	. . . . . . . . . : . . . . . . . . . . . . . . . A . . . 1 . . . . . . . . . . . . 5 . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 3a 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 41 06 00 00 31 0f 00 00 00 00 00 00 01 00 00 00 0e 35 df 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Blackmail
developer
valuation
plume
aMslO(aucpr)
amZcqK
Berkeley
plenipotentiary
translations
aYzBn
roundabout
aVzRp()
(akSqK(aucpr))
Pronoun
aCqnt
positions
teams
purveyor
arthur
louis
soviet
Tatiana
axSiN
motherboard
numeric
Idiom
perspective
dialectic
shallows
gazette
Discovery
felony
unconvinced
roller
Proven
medicare
ElseIf
clime
cartwright
importunate
moiety
guess
Bulldog
adeKx
Bereavement
asses
participated
Waylaid
confiscate
grandchildren
Barely
axSiN()
Shutter
Coiled
realty
compute
Precedence
vapid
Attribute
handcuffs
aaqRT
transparency
specialized
propaganda
VB_Name
calvin
telephony
everyday
Function
baste
demesne
switching
Springer
Modes
Luggage
Avant
catalog
Milky
hearthstone
tracy
expand
aMslO
Johns
sunset
requires

VBA Code

VBA File Name: aOMv0.bas, Stream Size: 3156

General
Stream Path:	VBA/aOMv0
VBA File Name:	aOMv0.bas
Stream Size:	3156
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 k > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 11 09 00 00 00 00 00 00 01 00 00 00 0e 35 6b 3e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
causes
anFJy
exclusively
Truly
Browser
aYzBn(aDKIk,
smell
Searched
adBRr(anFJy)
Surrounding
recommendations
nazarene
Constitutes
proteins
delegation
String
aMnjk
commentator
zoological
trunk
Juvenile
pearly
ElseIf
Insider
learning
Oreilly
Asc(aMnjk)
Treasurer
alfred
aDKIk
Integer
limousine
Alexander
Respiratory
aJjwu)
abomination
delayed
Memoirs
Attribute
ascendancy
acclaim
Imprecation
VB_Name
wampum
Etymology
undeceive
Function
priory
humanities
relatives
sufficiency
aJjwu
unless
persons
(aDKIk
elusive
Stumped
turnpike

VBA Code

VBA File Name: aRZcbw.bas, Stream Size: 4810

General
Stream Path:	VBA/aRZcbw
VBA File Name:	aRZcbw.bas
Stream Size:	4810
Data ASCII:	. . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 62 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 04 00 00 b1 0d 00 00 00 00 00 00 01 00 00 00 0e 35 b6 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
uninterested
determinate
Const
serenade
fraser
unreliable
Public
Contacting
adolescence
Kinswoman
wickedly
walnut
blots
undivided
vociferous
Antigua
Librarian
Indolence
procedures
encounter
Campaign
riven
Defined
belfast
tradespeople
dizziness
Abstention
Terrorist
Maidenhead
Anniversary
phosphoric
dialectic
enemies
Dentists
String
Upskirt
Nearly
undecided
affordable
timeline
Obviously
selective
offset
const
restrictions
would
shove
nomenclature
axIuO()
Gentle
Choosing
Maine
gamma
consulting
strumpet
schooling
Metallic
dietary
stumble
landscape
Straightforward
prove
deuteronomy
ravage
Ecological
brazilian
Integer
jerky
adroitly
walter
daughter-in-law
aVzRp
shell
supporters
catering
magnanimous
Stylish
haven
assets
boarding
holland
washington
"aRZcbw"
Attribute
abortion
economies
compensation
Receptor
latch
Dysentery
Variety
expanding
VB_Name
Esquire
Fisting
aYKyQ()
collapse
Function
completeness
cambodia
branch
elliptical
Entrust
reporting
demanding
consolidation
sceptic
priced
Gamma
Sensuality
unload
cover
brooded
strings

VBA Code

VBA File Name: abh0Rg.bas, Stream Size: 4574

General
Stream Path:	VBA/abh0Rg
VBA File Name:	abh0Rg.bas
Stream Size:	4574
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 ca 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff d1 03 00 00 e1 0c 00 00 00 00 00 00 01 00 00 00 0e 35 f9 c7 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
seasonal
pointed
Trains
Cancelled
theaters
swain
fullness
Public
sulky
referring
explain
compost
Aquarium
bullet
digit
downpour
Changelog
alabaster
denounce
Candy
self-evident
Homesickness
Machinist
statistical
Primacy
FreeFile
Love-making
Truism
companies
mother-in-law
Competition
subway
analytical
walrus
greenhouse
Flaccid
Webshots
Tress
tricolor
pacific
pretension
radius
Print
Drawn
FileNumber
Breakdown
diffidence
Biology
aicyF
illusory
wikipedia
poison
adBRr
dutch
suggesting
participation
Plaza
Sanity
Gaoler
impromptu
isthmus
Amber
sender
urges
changes
#FileNumber
confidentiality
tunisia
liqueur
Simulated
coding
venues
seashore
reservation
lighthouse
swimmer
Arising
aicyF)
lambent
sloped
shortening
fahrenheit
transcendent
#FileNumber,
flexible
Winsome
Georgia
option
Forests
lazarus
labourer
bukkake
Grenada
Surplus
Attribute
avhZYf
aVOhvn
Syntax
Close
devious
engineers
cleaner
VB_Name
lichen
Outwards
stubbornly
proceeds
trusted
Function
belle
depth
highlighted
FileCopy
louisville
Inconsistency
ungracious
opposite
adBRr(avhZYf)
disagree
Indisputable
Output
classroom
notch
Abandons
allegorical
Overhung
eddies
Adultery
Intact

VBA Code

VBA File Name: adGbPA.bas, Stream Size: 4586

General
Stream Path:	VBA/adGbPA
VBA File Name:	adGbPA.bas
Stream Size:	4586
Data ASCII:	. . . . . . . . . J . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . 5 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 4a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 51 03 00 00 f5 0c 00 00 00 00 00 00 01 00 00 00 0e 35 ee 60 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
intervals
octagonal
neigh
signs
astrology
legitimately
tittle
southwest
Technique
Matins
rejoin
Mephistopheles
intimidation
Burdensome
Responsibility
syllogism
Adobe
pounds
patrick
concave
Bequeath
Types
hesse
Select
pragmatic
excavation
magnificent
Vishnu
abolitionist
estimated
occurrence
Vassal
adkJvD
Armenia
Sanctified
dunbar
Systematically
component
Departments
modular
lucrative
Stating
Attica
derivation
attending
Bouquet
losses
leave-taking
Screens
fleshy
primal
Hybrid
)o)l)l)e)h)"),
Redden
utility
clustering
Unless
athens
totality
"adGbPA"
inferno
recurring
expiring
Sampson
languidly
Marrow
trojan
Attribute
Counsellor
Receipt
headers
Inactive
Sundown
lingo
charlotte
thirty-nine
aGSfMv()
VB_Name
Terminal
overran
Wicked
Function
silhouette
recovery
Mario
Infringement
Ticket
pichunter
chemist
Blue-black
brainless
cliff
complacent
compendium
aGSfMv
defilement
annuity
register
foundry
Displacement
remonstrate

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 618

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	618
Entropy:	5.34267626544
Base64 Encoded:	True
Data ASCII:	I D = " { 8 6 2 6 2 4 0 6 - 3 0 4 D - 4 E F A - A 4 4 C - C 5 5 4 C 4 7 8 6 1 3 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a H 8 x m s . . M o d u l e = a R Z c b w . . M o d u l e = a b h 0 R g . . M o d u l e = a 7 A 5 m . . M o d u l e = a d G b P A . . M o d u l e = a I s b 7 . . M o d u l e = a O M v 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 C
Data Raw:	49 44 3d 22 7b 38 36 32 36 32 34 30 36 2d 33 30 34 44 2d 34 45 46 41 2d 41 34 34 43 2d 43 35 35 34 43 34 37 38 36 31 33 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 48 38 78 6d 73 0d 0a 4d 6f 64 75 6c 65 3d 61 52 5a 63 62 77 0d 0a 4d 6f 64 75 6c 65 3d 61 62 68 30 52 67 0d 0a 4d 6f 64 75

Stream Path: PROJECTwm, File Type: data, Stream Size: 179

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	179
Entropy:	3.66892704793
Base64 Encoded:	True
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a H 8 x m s . a . H . 8 . x . m . s . . . a R Z c b w . a . R . Z . c . b . w . . . a b h 0 R g . a . b . h . 0 . R . g . . . a 7 A 5 m . a . 7 . A . 5 . m . . . a d G b P A . a . d . G . b . P . A . . . a I s b 7 . a . I . s . b . 7 . . . a O M v 0 . a . O . M . v . 0 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 48 38 78 6d 73 00 61 00 48 00 38 00 78 00 6d 00 73 00 00 00 61 52 5a 63 62 77 00 61 00 52 00 5a 00 63 00 62 00 77 00 00 00 61 62 68 30 52 67 00 61 00 62 00 68 00 30 00 52 00 67 00 00 00 61 37 41 35 6d 00 61 00 37 00 41 00 35 00 6d 00 00 00 61 64 47 62 50 41 00 61

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4172

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4172
Entropy:	4.76403916663
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2119

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	2119
Entropy:	3.47748136877
Base64 Encoded:	True
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . A . . . . . . V H . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 230

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	230
Entropy:	1.75961915218
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	348
Entropy:	1.78450864632
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	106
Entropy:	1.35911194617
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 775

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	775
Entropy:	6.59935768005
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
Data Raw:	01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 95 d8 b6 61 10 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:12:14.717160940 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:14.744054079 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:14.744210958 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:14.774555922 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:14.801323891 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:15.259387970 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:15.259423018 CET	80	49711	104.28.6.227	192.168.2.3
Dec 3, 2020 10:12:15.259588957 CET	49711	80	192.168.2.3	104.28.6.227
Dec 3, 2020 10:12:19.342504025 CET	49711	80	192.168.2.3	104.28.6.227

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:12:04.872263908 CET	64185	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:04.899449110 CET	53	64185	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:05.977966070 CET	65110	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:06.005306005 CET	53	65110	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:07.103354931 CET	58361	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:07.139152050 CET	53	58361	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:09.160564899 CET	63492	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:09.187803984 CET	53	63492	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:10.486977100 CET	60831	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:10.514538050 CET	53	60831	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:11.725595951 CET	60100	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:11.763911009 CET	53	60100	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:12.123970032 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:12.181309938 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:13.119251966 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:13.154472113 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:14.142292023 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:14.185724974 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:14.652942896 CET	50141	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:14.693248034 CET	53	50141	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:16.145160913 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:16.182802916 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:20.156338930 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:20.191992044 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:35.233314991 CET	53023	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:35.260240078 CET	53	53023	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:35.375446081 CET	49563	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:35.411010981 CET	53	49563	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:40.677835941 CET	51352	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:40.704961061 CET	53	51352	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:41.510663986 CET	59349	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:41.537661076 CET	53	59349	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:42.374233961 CET	57084	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:42.401274920 CET	53	57084	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:43.279664993 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:43.315388918 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:44.258956909 CET	57568	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:44.285885096 CET	53	57568	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:46.834990025 CET	50540	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:46.862232924 CET	53	50540	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:48.029016018 CET	54366	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:48.055943966 CET	53	54366	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:48.889570951 CET	53034	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:48.916682005 CET	53	53034	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:49.686250925 CET	57762	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:49.713371992 CET	53	57762	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:54.746095896 CET	55435	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:54.773276091 CET	53	55435	8.8.8.8	192.168.2.3
Dec 3, 2020 10:12:55.001687050 CET	50713	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:12:55.045443058 CET	53	50713	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:10.023046017 CET	56132	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:10.050081968 CET	53	56132	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:15.319488049 CET	58987	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:15.356364965 CET	53	58987	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:45.000901937 CET	56579	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:45.027858973 CET	53	56579	8.8.8.8	192.168.2.3
Dec 3, 2020 10:13:46.729356050 CET	60633	53	192.168.2.3	8.8.8.8
Dec 3, 2020 10:13:46.756539106 CET	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2020 10:12:14.652942896 CET	192.168.2.3	8.8.8.8	0xb1c0	Standard query (0)	nfj254aim.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 3, 2020 10:12:14.693248034 CET	8.8.8.8	192.168.2.3	0xb1c0	No error (0)	nfj254aim.com	104.28.6.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:12:14.693248034 CET	8.8.8.8	192.168.2.3	0xb1c0	No error (0)	nfj254aim.com	104.28.7.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:12:14.693248034 CET	8.8.8.8	192.168.2.3	0xb1c0	No error (0)	nfj254aim.com	172.67.164.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nfj254aim.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49711	104.28.6.227	80	C:\Users\Public\ms.com

Timestamp	kBytes transferred	Direction	Data
Dec 3, 2020 10:12:14.774555922 CET	222	OUT	GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: nfj254aim.com Connection: Keep-Alive
Dec 3, 2020 10:12:15.259387970 CET	223	IN	HTTP/1.1 200 OK Date: Thu, 03 Dec 2020 09:12:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=db45345ad08a18f657e4a03edb0b079811606986734; expires=Sat, 02-Jan-21 09:12:14 GMT; path=/; domain=.nfj254aim.com; HttpOnly; SameSite=Lax X-Powered-By: PHP/7.2.34 CF-Cache-Status: DYNAMIC cf-request-id: 06c978b4c300004108a9184000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=H4niUpCS7%2BC208vQfiad1anE7NOXSNEYndum6HLdaELV%2FNuAJowlMmAjfBoiaJyI2IJmUbAyy30qCmG16MVq73eLeu8JV1tZ%2BMLPGCtd"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fbc2a346bd44108-PRG Content-Encoding: gzip Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3f 0f 82 30 14 c4 f7 7e 8a 27 bb 3c 20 8c 2f 1d 14 88 24 88 c4 94 c1 11 6d 4d 49 90 22 2d fe f9 f6 06 58 5c ef ee 77 77 b4 49 4e 7b 71 a9 52 38 88 63 01 55 bd 2b f2 3d 78 5b c4 3c 15 19 62 22 92 d5 89 fc 00 31 2d 3d ce 48 bb 47 c7 49 ab 46 72 46 ae 75 9d e2 71 10 43 69 1c 64 66 ea 25 e1 2a 32 c2 25 44 57 23 bf 33 17 f2 bf 8c 0e 39 a3 81 0b ad 60 54 cf 49 59 a7 24 d4 e7 02 bc 8f 1d 6e 32 f2 e0 dd 58 e8 8d 83 fb 0c 80 e9 c1 e9 d6 82 55 e3 4b 8d 3e e1 30 0f 2c d5 84 cb 25 f6 03 00 00 ff ff 03 00 0c 45 8d 50 cd 00 00 00 0d 0a Data Ascii: baL?0~'< /$mMI"-X\wwIN{qR8cU+=x[<b"1-=HGIFrFuqCidf%*2%DW#39`TIY$n2XUK>0,%EP

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1844 Parent PID: 792

General

Start time:	10:12:10
Start date:	03/12/2020
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x1270000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: ms.com PID: 5308 Parent PID: 4940

General

Start time:	10:12:13
Start date:	03/12/2020
Path:	C:\Users\Public\ms.com
Wow64 process (32bit):	true
Commandline:	C:\users\public\ms.com C:\users\public\ms.html
Imagebase:	0xb30000
File size:	13312 bytes
MD5 hash:	7083239CE743FDB68DFC933B7308E80A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 6192 Parent PID: 5308

General

Start time:	10:12:15
Start date:	03/12/2020
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\regsvr32.exe' C:\Users\user\AppData\Local\Temp\temp.tmp
Imagebase:	0x2b0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report documenti 12.01.20.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General

VBA Code Keywords

VBA Code

VBA File Name: a7A5m.bas, Stream Size: 5178

General

VBA Code Keywords

VBA Code

VBA File Name: aH8xms.bas, Stream Size: 863

General

VBA Code Keywords

VBA Code

VBA File Name: aIsb7.bas, Stream Size: 5040