Play interactive tour

Edit tour

Analysis Report COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx

Overview

General Information

Sample Name:	COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx
Analysis ID:	344024
MD5:	da088a6ac0526f528932271fc37d58ff
SHA1:	ed00c3d987c76ca406e42d915190250e528e99e1
SHA256:	2d7a5d5f2e435088ea7a90e399e6b40693bf04dd82aa179572a7421f6f9f5dd7
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 6708 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Networking:

Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.cortana.ai
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.office.net
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.onedrive.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://augloop.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cdn.entity.
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cortana.ai
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cortana.ai/api
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://cr.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://directory.services.
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://graph.windows.net
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://graph.windows.net/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://login.windows.local
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://management.azure.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://management.azure.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://messaging.office.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://officeapps.live.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://onedrive.live.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://outlook.office.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://settings.outlook.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://tasks.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Source: classification engine

Classification label: clean0.winXLSX@1/2@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{3759F233-6A0E-4431-8914-17868A21A656} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://wus2-000.contentsync.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://ncus-000.contentsync.	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://login.microsoftonline.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://shell.suite.office.com:1443	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://autodiscover-s.outlook.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://cdn.entity.	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://wus2-000.contentsync.	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://powerlift.acompli.net	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://cortana.ai	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://api.aadrm.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://api.microsoftstream.com/api/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://cr.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://ecs.office.com/config/v2/Office	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://graph.ppe.windows.net	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://officeci.azurewebsites.net/api/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://store.office.cn/addinstemplate	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://globaldisco.crm.dynamics.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://store.officeppe.com/addinstemplate	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://web.microsoftstream.com/video/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://graph.windows.net	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://dataservice.o365filtering.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
http://weather.service.msn.com/data.aspx	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://apis.live.net/v5.0/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://management.azure.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://incidents.diagnostics.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://api.office.net	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://incidents.diagnosticssdf.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://entitlement.diagnostics.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://outlook.office.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://templatelogging.office.com/client/log	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://outlook.office365.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://webshell.suite.office.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://management.azure.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://ncus-000.contentsync.	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows.net/common/oauth2/authorize	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://devnull.onenote.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://messaging.office.com/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://contentstorage.omex.office.net/addinclassifier/officeentities	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://augloop.office.com/v2	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://skyapi.live.net/Activity/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://dataservice.o365filtering.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high
https://directory.services.	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	BC9F22D5-E055-4534-8204-0B1259C0BB66.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344024
Start date:	25.01.2021
Start time:	21:40:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLSX@1/2@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 52.109.88.177, 52.109.12.21, 52.109.12.22, 51.104.146.109, 23.210.248.85, 95.101.22.125, 95.101.22.134, 20.54.26.129, 51.11.168.160 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BC9F22D5-E055-4534-8204-0B1259C0BB66 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132942
Entropy (8bit):	5.372899948121786
Encrypted:	false
SSDEEP:	1536:hcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:BrQ9DQW+zBX8P
MD5:	DE41C99BA180F0C1426E79B4762DBB45
SHA1:	27FE955428EBD22C56E99F4595092C6226CBEBAE
SHA-256:	64D7008C44240B2A47E755F96544783F531BA5D9546656B46A703F8A9E2236E4
SHA-512:	8501B2AAB6141DC63E5B72C1612F96F7B980F2B5D26C8A6F1D09813A9E5A922F6A04DC4FBD45B3E9E719DB2248E6B56DC195911D583CAB8DCCF78BE2F0FA0630
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-25T20:41:22">.. Build: 16.0.13723.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\Desktop\~$COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.241265507017585
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx
File size:	14085
MD5:	da088a6ac0526f528932271fc37d58ff
SHA1:	ed00c3d987c76ca406e42d915190250e528e99e1
SHA256:	2d7a5d5f2e435088ea7a90e399e6b40693bf04dd82aa179572a7421f6f9f5dd7
SHA512:	3330f3f07826b89aa3c0bee2bba301d5417158e9bccb91050b093e2a01836752f8ba1d98a53a706dfedeb1bdde99de6c06a3d0034ae016a6e44abd90d7e7ffc6
SSDEEP:	384:KH3k5m0ubJPBc8fzjC4UiB+WCUP/MOova:Kq8f64Us7PUW
File Content Preview:	PK..........!.A7..n...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0d2d6d6d0dc

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 21:41:11.233674049 CET	64185	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:11.281878948 CET	53	64185	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:12.346210003 CET	65110	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:12.394474030 CET	53	65110	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:13.459103107 CET	58361	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:13.507400990 CET	53	58361	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:14.461608887 CET	63492	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:14.513526917 CET	53	63492	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:15.592648029 CET	60831	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:15.651670933 CET	53	60831	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:20.894814968 CET	60100	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:20.945981979 CET	53	60100	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:21.791965961 CET	53195	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:21.848836899 CET	53	53195	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:21.895355940 CET	50141	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:21.986181974 CET	53	50141	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:22.328027010 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:22.386290073 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:23.337995052 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:23.397712946 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:23.914624929 CET	49563	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:23.962486029 CET	53	49563	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:24.337495089 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:24.393747091 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:24.707150936 CET	51352	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:24.755090952 CET	53	51352	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:25.523057938 CET	59349	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:25.571103096 CET	53	59349	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:26.353421926 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:26.407458067 CET	57084	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:26.414933920 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:26.455794096 CET	53	57084	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:27.521646023 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:27.571532965 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:29.246718884 CET	57568	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:29.294547081 CET	53	57568	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:30.353871107 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:30.403301954 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:39.574229956 CET	50540	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:39.624934912 CET	53	50540	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:44.399127960 CET	54366	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:44.458062887 CET	53	54366	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:50.279580116 CET	53034	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:50.346507072 CET	53	53034	8.8.8.8	192.168.2.3
Jan 25, 2021 21:41:56.470256090 CET	57762	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:41:56.541786909 CET	53	57762	8.8.8.8	192.168.2.3
Jan 25, 2021 21:42:16.205274105 CET	55435	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:42:16.253302097 CET	53	55435	8.8.8.8	192.168.2.3
Jan 25, 2021 21:42:19.362626076 CET	50713	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:42:19.423096895 CET	53	50713	8.8.8.8	192.168.2.3
Jan 25, 2021 21:42:50.562452078 CET	56132	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:42:50.613142967 CET	53	56132	8.8.8.8	192.168.2.3
Jan 25, 2021 21:42:52.124480009 CET	58987	53	192.168.2.3	8.8.8.8
Jan 25, 2021 21:42:52.200997114 CET	53	58987	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 6708 Parent PID: 792

General

Start time:	21:42:08
Start date:	25/01/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xe50000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report COVID-19 Vaccine Provider Questionaire Health First CHC- Providence.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EXCEL.EXE PID: 6708 Parent PID: 792

General

Chronological Activities

Disassembly