Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Contact.xls

Overview

General Information

Sample Name:Contact.xls
Analysis ID:562530
MD5:fa8570c3fca7bd0ecc8b2afbc9a2a088
SHA1:1e9a8f5de89b43a7cb81003f3106cabaaefc4769
SHA256:0eb209a36a0f427cb97875cc2f0838077e5c3568c84782773a5bf2e101d7dc9a
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6924 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Contact.xlsINDICATOR_OLE_Excel4Macros_DL2Detects OLE Excel 4 Macros documents acting as downloadersditekSHen
  • 0x47a3:$e2: 00 4D 61 63 72 6F 31 85 00
  • 0x481d:$a1: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A 00
  • 0x946:$x1: * #,##0
  • 0x952:$x1: * #,##0
  • 0x9fb:$x1: * #,##0
  • 0xa0a:$x1: * #,##0
  • 0xa36:$x1: * #,##0

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.aadrm.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.aadrm.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.cortana.ai
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.office.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.onedrive.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://augloop.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://augloop.office.com/v2
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cdn.entity.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://clients.config.office.net/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://config.edge.skype.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cortana.ai
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cortana.ai/api
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://cr.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dev.cortana.ai
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://devnull.onenote.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://directory.services.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://graph.windows.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://graph.windows.net/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://invites.office.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://lifecycle.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://login.windows.local
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://management.azure.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://management.azure.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://messaging.office.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ncus.contentsync.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://officeapps.live.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://onedrive.live.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://osi.office.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office365.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office365.com/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://powerlift.acompli.net
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://roaming.edog.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://settings.outlook.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://staging.cortana.ai
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://tasks.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://webshell.suite.office.com
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://wus2.contentsync.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Contact.xls, type: SAMPLEMatched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Source: Contact.xls, type: SAMPLEMatched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{51D6675B-C84C-480F-ABA3-186417455523} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: classification engineClassification label: mal48.winXLS@1/1@0/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Contact.xls2%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://roaming.edog.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
    		high
    https://login.microsoftonline.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
      		high
      https://shell.suite.office.com:1443E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
        		high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
          		high
          https://autodiscover-s.outlook.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
            		high
            https://roaming.edog.E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
            • URL Reputation: safe
            		unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
              		high
              https://cdn.entity.E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.addins.omex.office.net/appinfo/queryE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                		high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                  		high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                    		high
                    https://powerlift.acompli.netE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://lookup.onenote.com/lookup/geolocation/v1E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                      		high
                      https://cortana.aiE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                        		high
                        https://cloudfiles.onenote.com/upload.aspxE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                          		high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                            		high
                            https://entitlement.diagnosticssdf.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                              		high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                		high
                                https://api.aadrm.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                  		high
                                  https://api.microsoftstream.com/api/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                    		high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                      		high
                                      https://cr.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                        		high
                                        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://portal.office.com/account/?ref=ClientMeControlE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                          		high
                                          https://graph.ppe.windows.netE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                            		high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://powerlift-frontdesk.acompli.netE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://tasks.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                              		high
                                              https://officeci.azurewebsites.net/api/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                		high
                                                https://store.office.cn/addinstemplateE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://api.aadrm.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                  		high
                                                  https://globaldisco.crm.dynamics.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                    		high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                      		high
                                                      https://dev0-api.acompli.net/autodetectE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.odwebp.svc.msE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://api.diagnosticssdf.office.com/v2/feedbackE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                        		high
                                                        https://api.powerbi.com/v1.0/myorg/groupsE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                          		high
                                                          https://web.microsoftstream.com/video/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                            		high
                                                            https://api.addins.store.officeppe.com/addinstemplateE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://graph.windows.netE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                              		high
                                                              https://dataservice.o365filtering.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://officesetup.getmicrosoftkey.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://analysis.windows.net/powerbi/apiE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                		high
                                                                https://prod-global-autodetect.acompli.net/autodetectE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.jsonE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                  		high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                    		high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                      		high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                        		high
                                                                        https://ncus.contentsync.E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                          		high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                            		high
                                                                            http://weather.service.msn.com/data.aspxE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                              		high
                                                                              https://apis.live.net/v5.0/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                		high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                  		high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                    		high
                                                                                    https://management.azure.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                      		high
                                                                                      https://outlook.office365.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                        		high
                                                                                        https://wus2.contentsync.E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://incidents.diagnostics.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                          		high
                                                                                          https://clients.config.office.net/user/v1.0/iosE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                            		high
                                                                                            https://insertmedia.bing.office.net/odc/insertmediaE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                              		high
                                                                                              https://o365auditrealtimeingestion.manage.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                		high
                                                                                                https://outlook.office365.com/api/v1.0/me/ActivitiesE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                  		high
                                                                                                  https://api.office.netE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                    		high
                                                                                                    https://incidents.diagnosticssdf.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                      		high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policiesE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                        		high
                                                                                                        https://entitlement.diagnostics.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                          		high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                            		high
                                                                                                            https://substrate.office.com/search/api/v2/initE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                		high
                                                                                                                https://storage.live.com/clientlogs/uploadlocationE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                  		high
                                                                                                                  https://outlook.office365.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                    		high
                                                                                                                    https://webshell.suite.office.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                      		high
                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                        		high
                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistoryE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                          		high
                                                                                                                          https://management.azure.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://graph.windows.net/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                		high
                                                                                                                                https://api.powerbi.com/beta/myorg/importsE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://devnull.onenote.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://ncus.pagecontentsync.E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://messaging.office.com/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://augloop.office.com/v2E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://skyapi.live.net/Activity/E0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/macE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://dataservice.o365filtering.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://api.cortana.aiE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://onedrive.live.comE0DB925F-1BA5-41F7-8DD1-432043A67229.0.drfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  No contacted IP infos

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                  Analysis ID:562530
                                                                                                                                                  Start date:29.01.2022
                                                                                                                                                  Start time:00:54:12
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 3m 53s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:Contact.xls
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:25
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal48.winXLS@1/1@0/0
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:Failed
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xls
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.76.68, 52.109.12.24, 52.109.12.21, 52.109.12.22
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E0DB925F-1BA5-41F7-8DD1-432043A67229

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):142098
                                                                                                                                                  Entropy (8bit):5.35476002489255
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:CcQIfgxrBdA3guwQ/Q9DQW+zUk4F77nXmvidZXQE5LWmE9:q8Q9DQW+zwXFU
                                                                                                                                                  MD5:1699BDC3C621D1023B7B57503CAC2B03
                                                                                                                                                  SHA1:CC2DBEE7C9D80FA878610036F0BD0B0E0DF7F158
                                                                                                                                                  SHA-256:063DE7CB194B5326454517A9D8719A5FB0A725C14CF276FD1D358C4BF8762AD5
                                                                                                                                                  SHA-512:414CD718B316969A3DC8894D100126799CC331EF2AC4F26AB14E94FA8D63C9BC3DE9B2811781F13E7C9991536AFD59F4825F9AA1B209EA774D28648A40C0FD26
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-01-28T23:55:06">.. Build: 16.0.14923.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:Composite Document File V2 Document, Can't read SAT
                                                                                                                                                  Entropy (8bit):6.4919219658612315
                                                                                                                                                  TrID:
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                  File name:Contact.xls
                                                                                                                                                  File size:52470
                                                                                                                                                  MD5:fa8570c3fca7bd0ecc8b2afbc9a2a088
                                                                                                                                                  SHA1:1e9a8f5de89b43a7cb81003f3106cabaaefc4769
                                                                                                                                                  SHA256:0eb209a36a0f427cb97875cc2f0838077e5c3568c84782773a5bf2e101d7dc9a
                                                                                                                                                  SHA512:4b560f493efb55f4496b4f47de8c6aed5e332ea65e78ac9e4944efa92f27e49b9516756b7cf67fae361c7013263126b9fdf1832de058d75714a8caceefdd5d33
                                                                                                                                                  SSDEEP:1536:1I+Hymsbck3hbdlylKsgqopeJBWhZFGkE+cMLxAAISQ5gQ7X:1I+HymsYk3hbdlylKsgqopeJBWhZFGkU
                                                                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                  Network Behavior

                                                                                                                                                  No network behavior found

                                                                                                                                                  Statistics

                                                                                                                                                  No statistics

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:00:55:04
                                                                                                                                                  Start date:29/01/2022
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                  Imagebase:0xfa0000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly