Play interactive tour

Edit tour

Windows Analysis Report plan-1637276620.xlsm

Overview

General Information

Sample Name:	plan-1637276620.xlsm
Analysis ID:	438318
MD5:	4d44784f088b8dd2ac0a6cbf2b809eab
SHA1:	7d01c190b2e73c860a9aed904729c6466230bd26
SHA256:	c63e0b01a696a077a5709b8aa4d4d600344fc1ddba624cbd67c6f37f271d97ac
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Excel documents contains an embedded macro which executes code when the document is opened

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 7120 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

splwow64.exe (PID: 4292 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.office.net
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://augloop.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cdn.entity.
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cortana.ai
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://cr.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://directory.services.
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://graph.windows.net
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://login.windows.local
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://management.azure.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://management.azure.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://tasks.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: workbook.xml

Binary string: 1" sheetId="16" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="19" r:id="rId2"/><sheet name="Sheet1" sheetId="4" r:id="rId3"/><sheet name="Sheet2" sheetId="12" r:id="rId4"/><sheet name="Sheet4" sheetId="10" state="hidden" r:id="rId5"/><sheet name="Sheet5" sheetId="11" state="hidden" r:id="rId6"/><sheet name="Sheet6" sheetId="15" state="hidden" r:id="rId7"/><sheet name="Sheet7" sheetId="14" state="hidden" r:id="rId8"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet6!$AJ$9</definedName></definedNames><calcPr calcId="122211"/></workbook>

Source: classification engine

Classification label: clean0.winXLSM@3/3@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{434E303B-6F37-4CC5-9FF8-9E404F84FA59} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: plan-1637276620.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: plan-1637276620.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
plan-1637276620.xlsm	2%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://login.microsoftonline.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://shell.suite.office.com:1443	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://autodiscover-s.outlook.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://cdn.entity.	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://powerlift.acompli.net	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://cortana.ai	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://api.aadrm.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://api.microsoftstream.com/api/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://cr.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://graph.ppe.windows.net	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://officeci.azurewebsites.net/api/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://store.office.cn/addinstemplate	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://globaldisco.crm.dynamics.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://store.officeppe.com/addinstemplate	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://web.microsoftstream.com/video/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://graph.windows.net	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://dataservice.o365filtering.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://ncus.contentsync.	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
http://weather.service.msn.com/data.aspx	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://apis.live.net/v5.0/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://management.azure.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://wus2.contentsync.	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://api.office.net	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://incidents.diagnosticssdf.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://entitlement.diagnostics.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://outlook.office.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://templatelogging.office.com/client/log	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://outlook.office365.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://webshell.suite.office.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://management.azure.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://devnull.onenote.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://ncus.pagecontentsync.	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://messaging.office.com/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://augloop.office.com/v2	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://skyapi.live.net/Activity/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://dataservice.o365filtering.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://directory.services.	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high
https://staging.cortana.ai	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://loki.delve.office.com/api/v1/configuration/officewin32/	2CAF7AE8-289A-4F25-868B-6D2546F9329C.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	438318
Start date:	22.06.2021
Start time:	13:33:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	plan-1637276620.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLSM@3/3@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.42.151.234, 13.88.21.125, 52.109.32.63, 52.109.8.24, 52.109.8.25, 20.82.209.183, 104.43.193.48, 20.54.104.15, 40.112.88.60, 20.54.7.98, 173.222.108.226, 173.222.108.210, 20.50.102.62, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

Time	Type	Description
13:34:24	API Interceptor	20x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2CAF7AE8-289A-4F25-868B-6D2546F9329C Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134914
Entropy (8bit):	5.367807218977918
Encrypted:	false
SSDEEP:	1536:vcQIKNgeBXA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:vEQ9DQW+zvXO1
MD5:	0D48EA4DD74C64C5A1C57AD28FFBCABF
SHA1:	B1734754C9B1D84A250FA2B1D238F49707A55A17
SHA-256:	D09E1FCDBF132DBE299FBE0909F3B446B008B32EEEAC756898747BF845C31050
SHA-512:	A7A4531B0237FD5211DAA23F5B4747A8A8B36B93BD3F8E4C76BF6BC7AF26FC16FC1AA5EE801A298DDCAD2DC60EDD62C950A200EBE48052FB87A516CF7A004F6D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-22T11:34:20">.. Build: 16.0.14221.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DF8B976F.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 1133 x 589, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	75711
Entropy (8bit):	7.915372969602997
Encrypted:	false
SSDEEP:	1536:gxJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncT:7br0o45GUgHhX8jC9yST
MD5:	8296338A43942E3107802E3062AC1270
SHA1:	46E67A586ED8A961AF7FD03140547C1CB2BAC227
SHA-256:	BE5F61F2AE8E4C9F9ADBCE5EC33D4C01A331734FFC5818AA8E45CF60456C5ABD
SHA-512:	C2179050A009C990CBFE6EA45E44AA6307AAC938E3EA523D31713F657E09131B07ACEBB31FC353C5A23E7D6323C4EC01736CFF092ACA1D49B58E71A07F1171AD
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...m...M......p......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^......g......q.\|.....<...'r....-^..c.If.,ffX1K.[....Z....V.LO5L..J+...z.]]u..>.==.......................Q..........(.......p.t........8.:.............................g@G........3............Q..........(.......p.t........8.:.............................g@G........3............Q..........(.......p.t......j.7ZP...:...0S....z5T........).WU=j..$H.B.P.)l.6Q..'.l..7..k..J.o..._....6..{C...r.\|2W.[a...m.BI.?...5......D....4;B...@b.HiP.jfj}@.S9..E.J...O..BA5.e:...q!.SP....w....(..._.,..I.\|a.7+>.........A#......3v..37......w(..j...C.R..H3.f.Q....0....h~...)aM..).vQ.1..+J@Q.....Oa+...!5.e.b...V..\|..d../.......vC..&..=9...n.....^6-.tRj...O..{j.e.N....o..~..^.......#!...T...C.#.>.E,[.,......E....h~B.Y./....(2.......(...`....~w#.%..R..{........N.Z....k]8>..dW..^s....U...9...W.e...]...W...i.{u.>.s.,L.>1..)....f..b..Z.nai$.Q.."...W2.......Q...G...z....Ea......

C:\Users\user\Desktop\~$plan-1637276620.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.835274324451968
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	plan-1637276620.xlsm
File size:	93191
MD5:	4d44784f088b8dd2ac0a6cbf2b809eab
SHA1:	7d01c190b2e73c860a9aed904729c6466230bd26
SHA256:	c63e0b01a696a077a5709b8aa4d4d600344fc1ddba624cbd67c6f37f271d97ac
SHA512:	09c221b8d32ff3a0cb092789103d54ef64b1dffa92a1cdb7047436c6d9e578ee505457d327a55f1dac5f6b2bcd934c80b025b92b50da12ecdc3187e86efa6b69
SSDEEP:	1536:aY2xJQVyZEbrMj34410mHyL9c988gHhX8jCNnKfl5ncW3SLBT0Ca:aYRbr0o45GUgHhX8jC9ySWCLBI
File Content Preview:	PK..........!.!=J.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 22, 2021 13:34:06.397425890 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:06.459352016 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:07.452620983 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:07.503133059 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:13.104347944 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:13.163697958 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:18.693247080 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:18.760987997 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:20.352370024 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:20.481046915 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:20.522984028 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:20.573957920 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:21.001802921 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:21.097220898 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:22.001698017 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:22.066880941 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:23.065018892 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:23.180289030 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:23.498817921 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:23.554853916 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:24.711668968 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:24.761879921 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:25.110939980 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:25.180887938 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:26.342062950 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:26.397329092 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:27.457086086 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:27.518634081 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:28.567749023 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:28.618249893 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:29.111656904 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:29.181703091 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:31.154071093 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:31.214139938 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:32.633635044 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:32.683717012 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:33.755656004 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:33.808173895 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:34.946288109 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:35.002341032 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:35.182926893 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:35.265284061 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:36.136533976 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:36.195071936 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:37.411890030 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:37.464900970 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:38.569720984 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:38.631772041 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:39.738118887 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:39.791929007 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:40.909411907 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:40.971003056 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:42.045912981 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:42.099713087 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:51.525690079 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:51.661621094 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:52.263659000 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:52.328490973 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:52.436372995 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:52.513638020 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:52.926877975 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:53.072206974 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:53.547955990 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:53.611747980 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:54.187994957 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:54.248145103 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:54.929630041 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:54.988626003 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:55.508428097 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:55.573440075 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:56.421154022 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:56.473294973 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:57.359426022 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:57.423682928 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 22, 2021 13:34:57.884110928 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:34:57.949631929 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 22, 2021 13:35:00.784028053 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:35:00.850064993 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 22, 2021 13:35:09.812721968 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:35:09.868340969 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:35:09.882375956 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 22, 2021 13:35:09.941801071 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 22, 2021 13:35:12.846244097 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:35:12.911854982 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 22, 2021 13:35:43.675060987 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:35:43.742486000 CEST	53	50904	8.8.8.8	192.168.2.4
Jun 22, 2021 13:35:45.439239025 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 22, 2021 13:35:45.515517950 CEST	53	57525	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 7120 Parent PID: 800

General

Start time:	13:34:18
Start date:	22/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xb90000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: splwow64.exe PID: 4292 Parent PID: 7120

General

Start time:	13:34:24
Start date:	22/06/2021
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff643fd0000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report plan-1637276620.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 7120 Parent PID: 800

General

Chronological Activities

Analysis Process: splwow64.exe PID: 4292 Parent PID: 7120

General

Chronological Activities

Disassembly