Play interactive tour

Edit tour

Windows Analysis Report PO-0814.doc

Overview

General Information

Sample Name:	PO-0814.doc
Analysis ID:	435316
MD5:	c811bfeba8f5ecd3fa4fe6e65dcc46af
SHA1:	32bd41b37872d0bd3d6376abbb29b8d0da47f1ac
SHA256:	fe5b31f0bf9c8a120cd21da9a474ca1b083af0e23ee0e29ca42939009aa4e149
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6412 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

splwow64.exe (PID: 6968 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PO-0814.doc

ReversingLabs: Detection: 34%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.cortana.ai
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.office.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.onedrive.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://augloop.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cdn.entity.
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cortana.ai
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cortana.ai/api
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://cr.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://directory.services.
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://graph.windows.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://graph.windows.net/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://login.windows.local
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://management.azure.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://management.azure.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://messaging.office.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://officeapps.live.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://onedrive.live.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://osi.office.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://outlook.office.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://settings.outlook.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://tasks.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: classification engine

Classification label: mal48.winDOC@3/8@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{672B9DD3-5E1E-47C6-BBA2-F3D1CF4C6D8A} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: PO-0814.doc

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: PO-0814.doc

Static file information: File size 1710047 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO-0814.doc	35%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Virustotal		Browse
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://login.microsoftonline.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://shell.suite.office.com:1443	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://autodiscover-s.outlook.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://cdn.entity.	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://powerlift.acompli.net	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://cortana.ai	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://api.aadrm.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://api.microsoftstream.com/api/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://cr.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://graph.ppe.windows.net	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://officeci.azurewebsites.net/api/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://store.office.cn/addinstemplate	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://globaldisco.crm.dynamics.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://store.officeppe.com/addinstemplate	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://web.microsoftstream.com/video/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://graph.windows.net	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://dataservice.o365filtering.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://ncus.contentsync.	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
http://weather.service.msn.com/data.aspx	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://apis.live.net/v5.0/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://management.azure.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://wus2.contentsync.	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://api.office.net	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://incidents.diagnosticssdf.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://entitlement.diagnostics.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://outlook.office.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://templatelogging.office.com/client/log	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://outlook.office365.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://webshell.suite.office.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://management.azure.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://devnull.onenote.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://ncus.pagecontentsync.	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://messaging.office.com/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://augloop.office.com/v2	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://skyapi.live.net/Activity/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://dataservice.o365filtering.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://directory.services.	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high
https://staging.cortana.ai	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	435316
Start date:	16.06.2021
Start time:	12:12:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO-0814.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winDOC@3/8@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.107.3.254, 13.107.253.254, 104.43.193.48, 52.147.198.201, 52.109.88.177, 52.109.12.21, 20.82.210.154, 20.54.7.98, 40.112.88.60, 20.54.104.15, 173.222.108.226, 173.222.108.210, 20.54.26.129, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, s-ring.msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, t-9999.fb-t-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, s-9999.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:13:13	API Interceptor	12x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FB9D2E74-CF1E-446D-ADAF-5037AFCD61C7 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134863
Entropy (8bit):	5.3648010443415775
Encrypted:	false
SSDEEP:	1536:IcQIKNEeBxA3gBwlpQ9DQW+z7Y34ZliKWXboOilX5E6LWME9:OEQ9DQW+zLXO1
MD5:	9B4A8D08742AA0B05AF34E2AEBE2E8AD
SHA1:	DF41A84003F7EAD1C30D1ACEEEF6EB19D24FD003
SHA-256:	3B6253B91BF3C14C5C2CB3086355CE5A6A4B3AA363F70E48739983412C199BE4
SHA-512:	4F70B335FD008765348FC786FDE3A53E6B1955013E522C975B174A3B5485FD7DD64DD4E86D220CDFBBB1CDA35C2736C650F7A89B07C3213ADB97BE7893A1BBE6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-16T10:12:55">.. Build: 16.0.14214.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D02C9C23-9FAB-49C5-A520-B3B783F08DE0}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.7687523570561114
Encrypted:	false
SSDEEP:	3:gl2lfwDOxRlt9lg7tlVl7lY2l/Dlll8v0lglwZUvtv/UlglwZel8gl7vlI8:zNwDOxRAJ0SDlll8vlw8t3FwQFrB
MD5:	86D0B0AB1FEE8546522734C6D67B27C3
SHA1:	0403366C5DEACE9576376463E59FBDC0D142C853
SHA-256:	05AF56C054C28C112B02C3C40351692C71A08A780074088AE7DF163674DC904E
SHA-512:	CA087E3FB58462DAA1ADF2B33D79F0A0872BB0E69A884AFD51B9F478AF37FB50ED339C275836ED8460451700DA4178B45233029351E33779CEE2F4FF4148B46C
Malicious:	false
Reputation:	low
Preview:	=......... .U.n.k.n.o.w.n.E.M.B.E.D.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .jGitd...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DFF4BA98-BA4E-4041-852E-34D88C256C56}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-0814.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:49 2020, mtime=Wed Jun 16 09:12:55 2021, atime=Wed Jun 16 09:12:52 2021, length=1710047, window=hide
Category:	dropped
Size (bytes):	2076
Entropy (8bit):	4.730178722805428
Encrypted:	false
SSDEEP:	24:8A6IIhlhFisiAVbHggBs5Di7aB6myA6IIhlhFisiAVbHggBs5Di7aB6m:8A6IIOsBVEEsRB6pA6IIOsBVEEsRB6
MD5:	6251CE2A7A179A3C9D59C352425A229B
SHA1:	DD6D96ECEC5F4ACCD79DB4B214C9B71C214043E8
SHA-256:	98FECD951274C0CE44C512240B1A2D555B7839C6F24C6C0A6B54053859A01261
SHA-512:	5B30B0AE96EC04FBB2F62E7E136A357CCC8D5CB48F91318704B51EEBF0A76444CCEC1DDB965ED3CACAB11843640C1CCAEDF60CF207734FACB98C4D20AD14804C
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....Q.......,.b....*.b...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.Q....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qz<..user.<.......N...R.Q....#J........................j.o.n.e.s.....~.1.....>Q\|<..Desktop.h.......N...R.Q.....Y..............>.....h$$.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2......R.Q .PO-0814.doc.H......>Qy<.R.Q.....V.....................b..P.O.-.0.8.1.4...d.o.c.......Q...............-.......P...........>.S......C:\Users\user\Desktop\PO-0814.doc..".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.0.8.1.4...d.o.c.........:..,.LB.)...As...`.......X.......305090...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.1702223972093195
Encrypted:	false
SSDEEP:	3:M1gAOru4otDOru4omX1gAOru4ov:MiAO5mDO5IAO5y
MD5:	7658D96DC6F1BF1C4B8E7587B63785BF
SHA1:	9EA85D1D15BEC75AB16A6F14A8074B15006E4821
SHA-256:	96787D74AC1F603009D6AF517C2100C4FF79E947097BE74A818B876FEA1FE61D
SHA-512:	195D14A0ED4D61CA6ABDA1302FC75A684E57B760486EAB5D7B60D0A2B3F1B0AA2BDFE2DDCF2726A1B9118B4B322322E919E922C34E702888C307E3D82A4677B6
Malicious:	false
Reputation:	low
Preview:	[doc]..PO-0814.LNK=0..PO-0814.LNK=0..[doc]..PO-0814.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.637450258027898
Encrypted:	false
SSDEEP:	3:Rl/ZdrYttolFV7lptHlqKywaYzoY17:RtZpIOH7+iIY17
MD5:	ABD87C38983052596149295CFF4A4EA3
SHA1:	BED8D6FDFAF29E4010DC066CA559AB9335B326FA
SHA-256:	249C77C9545C4265937B5A30A0204EDB51F03532D42B60F93338D9FB53C0EFAD
SHA-512:	05FA867AFFB422DC0150419C37A1B8BF47E87240AA098A889865A1BF932906A5760E5E9C6CCD909BE3DEE2E0210E09534A315BA583D4AF250A0D6E15F6D27652
Malicious:	false
Reputation:	low
Preview:	.pratesh................................................p.r.a.t.e.s.h..........!...;...........................!..<..........$.......6C.......!...=..x..s`..sP..s

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$O-0814.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.637450258027898
Encrypted:	false
SSDEEP:	3:Rl/ZdrYttolFV7lptHlqKywaYzoY17:RtZpIOH7+iIY17
MD5:	ABD87C38983052596149295CFF4A4EA3
SHA1:	BED8D6FDFAF29E4010DC066CA559AB9335B326FA
SHA-256:	249C77C9545C4265937B5A30A0204EDB51F03532D42B60F93338D9FB53C0EFAD
SHA-512:	05FA867AFFB422DC0150419C37A1B8BF47E87240AA098A889865A1BF932906A5760E5E9C6CCD909BE3DEE2E0210E09534A315BA583D4AF250A0D6E15F6D27652
Malicious:	false
Reputation:	low
Preview:	.pratesh................................................p.r.a.t.e.s.h..........!...;...........................!..<..........$.......6C.......!...=..x..s`..sP..s

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.5422390551490244
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PO-0814.doc
File size:	1710047
MD5:	c811bfeba8f5ecd3fa4fe6e65dcc46af
SHA1:	32bd41b37872d0bd3d6376abbb29b8d0da47f1ac
SHA256:	fe5b31f0bf9c8a120cd21da9a474ca1b083af0e23ee0e29ca42939009aa4e149
SHA512:	9b79c8edee042ed6746c9c9e7a6693c9bced573c11c0550aaddea0459b480e6e97a3900e132687b33604e91ba9efaf99df4fc3406092578f67d6d48b021946f0
SSDEEP:	12288:2NpPfQ5Q48Fr8jzOpbXW84abtMCF2XdO/hTtGL6oRkrG2X4:2NpPfQe4ZmpbGs32XdO3GL7+G2X4
File Content Preview:	{\rtf6965{\object\objautlink70169935\objw9723\objh6132{\*\objdata.9c9bd81a020000000b0000004571756174496f4e2e330000000000000000009d0b0d00037e01eb470a0105d76448ec00000000000000000000000000000000000000000000000000500645000000000000000000000000000000000000000

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000003Dh	2	embedded	EquatIoN.3	854941				no

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 16, 2021 12:12:47.346512079 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:47.397896051 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:47.576864004 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:47.629862070 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:47.795382023 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:47.845927954 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:49.309423923 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:49.368712902 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:50.132988930 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:50.192109108 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:51.167162895 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:51.219575882 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:52.118812084 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:52.169456005 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:53.116779089 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:53.173186064 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:55.140801907 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:55.234893084 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:55.561372042 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:55.611537933 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:55.678560019 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:55.771945000 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:56.722688913 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:56.784843922 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:57.151865005 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:57.211924076 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:57.766339064 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:57.828121901 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:59.481296062 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:59.531846046 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 16, 2021 12:12:59.813011885 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:12:59.866357088 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:00.441322088 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:00.492289066 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:01.225404978 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:01.275593996 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:02.011327982 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:02.061650038 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:02.813260078 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:02.869632959 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:03.860227108 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:03.922441959 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:04.437778950 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:04.505604029 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:05.311100006 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:05.361154079 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:06.201195955 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:06.267741919 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:07.342672110 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:07.396224022 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:08.359810114 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:08.413471937 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:16.602037907 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:16.663887024 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:36.100734949 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:36.310327053 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:36.910161018 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:36.977931976 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:37.141835928 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:37.215235949 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:37.648900986 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:37.712322950 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:38.412493944 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:38.475351095 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:39.076812029 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:39.227572918 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:39.810606003 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:39.875682116 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:40.333477974 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:40.392551899 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:41.388081074 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:41.455204964 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:42.017770052 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:42.079885960 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:42.337747097 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:42.388225079 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:42.950311899 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:43.015516996 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:51.901818991 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:51.961241007 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:52.117270947 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:52.183734894 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 16, 2021 12:13:54.729020119 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:13:54.791069984 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 16, 2021 12:14:28.030345917 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:14:28.100517035 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 16, 2021 12:14:30.348469973 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 16, 2021 12:14:30.426194906 CEST	53	50904	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 6412 Parent PID: 800

General

Start time:	12:12:53
Start date:	16/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x1040000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: splwow64.exe PID: 6968 Parent PID: 6412

General

Start time:	12:13:13
Start date:	16/06/2021
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff7bf8e0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PO-0814.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 6412 Parent PID: 800

General

Analysis Process: splwow64.exe PID: 6968 Parent PID: 6412

General

Disassembly