Play interactive tour

Edit tour

Windows Analysis Report DOC0798.doc

Overview

General Information

Sample Name:	DOC0798.doc
Analysis ID:	435310
MD5:	51a19560ad005f1dfaf49d959c2dbe7a
SHA1:	660adab2960c1e726e610223e3032595f49f7e74
SHA256:	00175c704e4d534a072f8d777bbb5413dfa32d51fd6b922e88e980c02357b0f1
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 5380 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

splwow64.exe (PID: 3660 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: DOC0798.doc

ReversingLabs: Detection: 30%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.cortana.ai
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.office.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.onedrive.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://augloop.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cdn.entity.
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cortana.ai
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cortana.ai/api
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://cr.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://directory.services.
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://graph.windows.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://graph.windows.net/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://login.windows.local
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://management.azure.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://management.azure.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://messaging.office.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://officeapps.live.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://onedrive.live.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://osi.office.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://outlook.office.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://settings.outlook.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://tasks.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: classification engine

Classification label: mal48.winDOC@3/8@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{5FBC5CB0-AC01-4B83-9D1A-CA9042730FA5} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: DOC0798.doc

ReversingLabs: Detection: 30%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: DOC0798.doc

Static file information: File size 1613819 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DOC0798.doc	30%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Virustotal		Browse
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://login.microsoftonline.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://shell.suite.office.com:1443	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://autodiscover-s.outlook.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://cdn.entity.	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://powerlift.acompli.net	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://cortana.ai	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://api.aadrm.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://api.microsoftstream.com/api/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://cr.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://graph.ppe.windows.net	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://officeci.azurewebsites.net/api/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://store.office.cn/addinstemplate	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://globaldisco.crm.dynamics.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://store.officeppe.com/addinstemplate	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://web.microsoftstream.com/video/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://graph.windows.net	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://dataservice.o365filtering.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://ncus.contentsync.	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
http://weather.service.msn.com/data.aspx	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://apis.live.net/v5.0/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://management.azure.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://wus2.contentsync.	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://api.office.net	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://incidents.diagnosticssdf.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://entitlement.diagnostics.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://outlook.office.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://templatelogging.office.com/client/log	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://outlook.office365.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://webshell.suite.office.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://management.azure.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://devnull.onenote.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://ncus.pagecontentsync.	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://messaging.office.com/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://augloop.office.com/v2	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://skyapi.live.net/Activity/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://dataservice.o365filtering.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://directory.services.	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high
https://staging.cortana.ai	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	D098D95B-642E-42EF-92A5-23F41BB7DAD7.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	435310
Start date:	16.06.2021
Start time:	12:02:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DOC0798.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winDOC@3/8@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 20.82.209.183, 104.42.151.234, 131.253.33.200, 13.107.22.200, 40.88.32.150, 23.211.6.115, 52.109.32.63, 52.109.12.22, 52.109.12.24, 23.211.4.86, 20.50.102.62, 8.238.28.126, 8.241.80.126, 8.241.83.126, 8.238.85.254, 8.241.89.254, 51.103.5.159, 40.112.88.60, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:03:53	API Interceptor	14x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D098D95B-642E-42EF-92A5-23F41BB7DAD7 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134863
Entropy (8bit):	5.364801336445016
Encrypted:	false
SSDEEP:	1536:RcQIKNEeBxA3gBwlpQ9DQW+z7Y34ZliKWXboOilX5E6LWME9:DEQ9DQW+zLXO1
MD5:	E76889961DD613CB80F53A9E57179689
SHA1:	60391E8CA2B6A342977148C1395E4D0AB860FC55
SHA-256:	895AB9D5A96208499032E87ACB0AFC93B9DC6A06CB93F838FA37B255B43E3D56
SHA-512:	730858A613C41290FA14F1B5DCFB33AEC7F6A98B6079DFA284B106D871C9196CD20A39978FA4C382AC84626B50518B40AFE0FE7BA9362C6214A3801F076ECB62
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-16T10:03:34">.. Build: 16.0.14214.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{09A8A274-0F83-4D32-A1A8-2C46EB8A646D}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4B58F8FA-D276-4F58-BC02-3B3873E56BFB}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.7687523570561114
Encrypted:	false
SSDEEP:	3:gl2lfwDOxRlt9lg7tlVl7lY2l/Dlll8v0lglwZ2Som/UlglwZel8gl7vlI8:zNwDOxRAJ0SDlll8vlwJLFwQFrB
MD5:	241676A96AF63ABA1894E9BA2825D4F1
SHA1:	281784583A4285D689EDEC9A448AFAC1E05DFDDD
SHA-256:	63858D0504191652EE0E582F1B847C6CFCDBC5639FFFC81631BD1CE23420EA2D
SHA-512:	D40DA644BB323A4576855F409F65EB66D06ED40A1FCA729674DD0FA13544BC5A75730CB50776F3964D74AF4D581AC578AD5E8A901DBA8B0FE52C5BF8068215F1
Malicious:	false
Reputation:	low
Preview:	=......... .U.n.k.n.o.w.n.E.M.B.E.D.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j.gtd...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DOC0798.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 13:47:05 2020, mtime=Wed Jun 16 18:03:35 2021, atime=Wed Jun 16 18:03:31 2021, length=1613819, window=hide
Category:	dropped
Size (bytes):	2086
Entropy (8bit):	4.725157122625851
Encrypted:	false
SSDEEP:	24:8pPmYlMAAKM0JDyY7aB6mypPmYlMAAKM0JDyY7aB6m:8pOYlAKM02B6ppOYlAKM02B6
MD5:	F82BF23C18FF9D8F2CF148DAE0D90C98
SHA1:	D3851E636588B337D8B63B792FCFEA1C688176FE
SHA-256:	649472A00BB6B04C5489EAA2BFAD50A07B8652173827FB90E2BDF8E442DF2330
SHA-512:	7C03E6AAD9F756CD709C242B84D64D14E08C888C240AF26AF3AF84B45B62D1085EDC444DAD643B0579D0EC57FEE0860B7106DFBC8414EE2E6B68B906E842CE13
Malicious:	false
Reputation:	low
Preview:	L..................F.... ......8....#.N.b..J+\L.b...............................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L...Rj.....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1.....>Q.u..user..>.......NM..Rj......S....................Ap .a.l.f.o.n.s.....~.1.....>Q.u..Desktop.h.......NM..Rk......Y..............>......v..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2......Rp. .DOC0798.doc.H......>Q.u.Rp.....f.......................\.D.O.C.0.7.9.8...d.o.c.......R...............-.......Q...........>.S......C:\Users\user\Desktop\DOC0798.doc..".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.O.C.0.7.9.8...d.o.c.........:..,.LB.)...Aw...`.......X.......179605...........!a..%.H.VZAj....Xt.+........W...!a..%.H.VZAj....Xt.+........W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.1702223972093195
Encrypted:	false
SSDEEP:	3:M18iSsd25d4sd2mX18iSsd2v:M+ocfqoI
MD5:	3C8E4AC54FF66878DC3446F616641670
SHA1:	FD8694B9B068C7CBE20128AF8398A92669E869AD
SHA-256:	1D9989644C7811E99A3B44DBB966432BFC35FDC656481E38001C0BF030F7F4BF
SHA-512:	2713B9AEFFDBC95FE7F55369AF848A67F13C0A37D547957BE15FE39D3F2E229149825C07F0BDA8159552D781D04B05B310A3BBFB708EABE2EBDC06B2E4C2928E
Malicious:	false
Reputation:	low
Preview:	[doc]..DOC0798.LNK=0..DOC0798.LNK=0..[doc]..DOC0798.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.080633405119365
Encrypted:	false
SSDEEP:	3:Rl/ZdNDNxVllt7VGnitlbO1lt7:RtZ/pzGnwOXB
MD5:	74A29C644D740B86F973D46D22EC54C5
SHA1:	093F93BD058091DFB05CDF1E15DAC44138A47DBE
SHA-256:	5EA07C9B25DF8DE3721C093B662CA30E766898F2A2E1996072FA9AC38D95642C
SHA-512:	08658462DD7CF0021A821A12EB2F16234EB29B8EC076659A40557FA4E3FFE5B336710A756E6D1F517A4A379C8F3F3EA78C5ADFBCD504034EF00797944AD798CF
Malicious:	false
Reputation:	low
Preview:	.pratesh................................................p.r.a.t.e.s.h........._.c............................[.c............................G.c............$...

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$OC0798.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.080633405119365
Encrypted:	false
SSDEEP:	3:Rl/ZdNDNxVllt7VGnitlbO1lt7:RtZ/pzGnwOXB
MD5:	74A29C644D740B86F973D46D22EC54C5
SHA1:	093F93BD058091DFB05CDF1E15DAC44138A47DBE
SHA-256:	5EA07C9B25DF8DE3721C093B662CA30E766898F2A2E1996072FA9AC38D95642C
SHA-512:	08658462DD7CF0021A821A12EB2F16234EB29B8EC076659A40557FA4E3FFE5B336710A756E6D1F517A4A379C8F3F3EA78C5ADFBCD504034EF00797944AD798CF
Malicious:	false
Reputation:	low
Preview:	.pratesh................................................p.r.a.t.e.s.h........._.c............................[.c............................G.c............$...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.5119546202634186
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	DOC0798.doc
File size:	1613819
MD5:	51a19560ad005f1dfaf49d959c2dbe7a
SHA1:	660adab2960c1e726e610223e3032595f49f7e74
SHA256:	00175c704e4d534a072f8d777bbb5413dfa32d51fd6b922e88e980c02357b0f1
SHA512:	e27f5a1dfa095b4219f19866eca67fd4289ea0a72bb1b8c9532f48d204dab9d4c595efe9382a450633104204e88eb6ad43b8e2fce60ff8e323d16fda8921a576
SSDEEP:	12288:ZZ2nkYR5UxLEpyI28DpDwHVfsDpEq3EnCpug3P:akYR5UwyI9pg5Y2q38Cz/
File Content Preview:	{\rtf8561{\object\objautlink67039725\objw4045\objh7166{\*\objdata.3dbf9512020000000b0000004551556174696f6e2e33000000000000000000ab4f0c00037e01eb470a0105c02e5cec00000000000000000000000000000000000000000000000000500645000000000000000000000000000000000000000

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000003Dh	2	embedded	EQUation.3	806827				no

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2021 12:03:25.056065083 CEST	62060	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:25.112634897 CEST	53	62060	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:25.939789057 CEST	61805	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:26.008246899 CEST	53	61805	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:26.046083927 CEST	54795	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:26.096499920 CEST	53	54795	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:26.141494036 CEST	49557	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:26.210721016 CEST	53	49557	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:27.947537899 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:28.005286932 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:28.576253891 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:28.636218071 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:28.755312920 CEST	52441	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:28.805946112 CEST	53	52441	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:30.083693027 CEST	62176	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:30.134006977 CEST	53	62176	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:30.960051060 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:31.016469955 CEST	53	59596	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:31.819905043 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:31.871845007 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:33.699239016 CEST	63183	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:33.770544052 CEST	53	63183	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:34.231000900 CEST	60151	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:34.318036079 CEST	53	60151	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:34.899413109 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:34.974857092 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:35.890820026 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:36.041436911 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:36.471499920 CEST	55161	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:36.522361040 CEST	53	55161	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:36.890600920 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:36.953203917 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:37.337923050 CEST	54757	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:37.392987013 CEST	53	54757	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:38.260936022 CEST	49992	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:38.321372032 CEST	53	49992	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:38.937652111 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:39.007592916 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:39.106858969 CEST	60075	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:39.163233042 CEST	53	60075	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:42.984919071 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:43.052145004 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 16, 2021 12:03:52.842989922 CEST	55016	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:03:52.903064013 CEST	53	55016	8.8.8.8	192.168.2.5
Jun 16, 2021 12:04:07.609932899 CEST	64345	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:04:07.684132099 CEST	53	64345	8.8.8.8	192.168.2.5
Jun 16, 2021 12:04:20.365758896 CEST	57128	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:04:20.424657106 CEST	53	57128	8.8.8.8	192.168.2.5
Jun 16, 2021 12:04:20.799076080 CEST	54791	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:04:20.850956917 CEST	53	54791	8.8.8.8	192.168.2.5
Jun 16, 2021 12:04:36.172164917 CEST	50463	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:04:36.247225046 CEST	53	50463	8.8.8.8	192.168.2.5
Jun 16, 2021 12:04:41.222171068 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:04:41.283497095 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 16, 2021 12:05:15.779038906 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:05:15.846770048 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 16, 2021 12:05:17.197577000 CEST	53813	53	192.168.2.5	8.8.8.8
Jun 16, 2021 12:05:17.273613930 CEST	53	53813	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 5380 Parent PID: 792

General

Start time:	12:03:32
Start date:	16/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x10f0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: splwow64.exe PID: 3660 Parent PID: 5380

General

Start time:	12:03:53
Start date:	16/06/2021
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff6fe1e0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DOC0798.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 5380 Parent PID: 792

General

Chronological Activities

Analysis Process: splwow64.exe PID: 3660 Parent PID: 5380

General

Chronological Activities

Disassembly