Refusal-376547573-01212021.xlsm

Status: finished

Submission Time: 2021-01-21 20:07:26 +01:00

Malicious

Trojan

Exploiter

Evader

Hidden Macro 4.0

Comments

Details

Analysis ID:
342882
API (Web) ID:
587706
Analysis Started:

2021-01-21 20:12:27 +01:00
Analysis Finished:

2021-01-21 20:28:31 +01:00
MD5:
b2a6b33f2ace5e06ce661609f7297382
SHA1:
85260ad8b2fdd4d3c6b49c9f87851fd0a125e1dd
SHA256:
cac44e08ba7544ff35a9863faea38680dbf7675ad2e23d7ffc82e11ae0b2da67
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 60	System: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
	Full Report Management Report IOC Report	malicious Score: 76	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Potential for more IOCs and behavior

Third Party Analysis Engines

malicious

IPs

IP	Country	Detection
172.107.2.98	United States

Domains

Name	IP	Detection
cdn.onenote.net	0.0.0.0
www.toteteca.com	0.0.0.0
toteteca.com	172.107.2.98

URLs

Name	Detection
http://www.toteteca.com/qzkiodlofm/5555555555.jpg
https://incidents.diagnostics.office.com
https://storage.live.com/clientlogs/uploadlocation
Click to see the 97 hidden entries
https://outlook.office.com/
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://entitlement.diagnostics.office.com
https://clients.config.office.net/user/v1.0/android/policies
https://asgsmsproxyapi.azurewebsites.net/
https://incidents.diagnosticssdf.office.com
https://api.office.net
https://outlook.office365.com/api/v1.0/me/Activities
https://o365auditrealtimeingestion.manage.office.com
https://insertmedia.bing.office.net/odc/insertmedia
https://clients.config.office.net/user/v1.0/ios
https://outlook.office365.com/
https://management.azure.com
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
https://apis.live.net/v5.0/
http://weather.service.msn.com/data.aspx
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
https://messaging.office.com/
https://directory.services.
https://visio.uservoice.com/forums/368202-visio-on-devices
https://ovisualuiapp.azurewebsites.net/pbiagave/
https://onedrive.live.com
https://api.cortana.ai
https://dataservice.o365filtering.com
https://clients.config.office.net/user/v1.0/mac
https://skyapi.live.net/Activity/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
https://augloop.office.com/v2
https://contentstorage.omex.office.net/addinclassifier/officeentities
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://templatelogging.office.com/client/log
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
https://devnull.onenote.com
https://api.powerbi.com/beta/myorg/imports
https://graph.windows.net/
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
https://login.windows.net/common/oauth2/authorize
https://ncus-000.contentsync.
https://management.azure.com/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
https://webshell.suite.office.com
https://outlook.office365.com/autodiscover/autodiscover.json
https://rpsticket.partnerservices.getmicrosoftkey.com
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://api.microsoftstream.com/api/
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://ofcrecsvcapi-int.azurewebsites.net/
https://api.aadrm.com/
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://entitlement.diagnosticssdf.office.com
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://cloudfiles.onenote.com/upload.aspx
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://cortana.ai
https://lookup.onenote.com/lookup/geolocation/v1
https://cr.office.com
https://powerlift.acompli.net
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://clients.config.office.net/user/v1.0/tenantassociationkey
https://wus2-000.contentsync.
https://api.addins.omex.office.net/appinfo/query
https://cdn.entity.
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://autodiscover-s.outlook.com/
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
https://shell.suite.office.com:1443
https://login.microsoftonline.com/
https://globaldisco.crm.dynamics.com
https://prod-global-autodetect.acompli.net/autodetect
https://analysis.windows.net/powerbi/api
https://officesetup.getmicrosoftkey.com
https://dataservice.o365filtering.com/
https://graph.windows.net
https://web.microsoftstream.com/video/
https://api.powerbi.com/v1.0/myorg/groups
https://www.odwebp.svc.ms
https://dev0-api.acompli.net/autodetect
https://store.officeppe.com/addinstemplate
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://api.diagnosticssdf.office.com
https://outlook.office.com/autosuggest/api/v1/init?cvid=
https://wus2-000.pagecontentsync.
https://store.office.cn/addinstemplate
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
https://officeci.azurewebsites.net/api/
https://tasks.office.com
https://powerlift-frontdesk.acompli.net
https://res.getmicrosoftkey.com/api/redemptionevents
https://graph.ppe.windows.net
https://ecs.office.com/config/v2/Office
https://portal.office.com/account/?ref=ClientMeControl

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Refusal-376547573-01212021.xlsm.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:42 2020, mtime=Fri Jan 22 03:21:24 2021, atime=Fri Jan 22 03:21:24 2021, length=25989, window=hide	#
C:\Users\user\Desktop\~$Refusal-376547573-01212021.xlsm	data	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\38087A14-1EB5-47B7-A8E2-322A21C03B78	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
Click to see the 7 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\292D5639.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\757BCDAF.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\933916E6.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	#
C:\Users\user\AppData\Local\Temp\E0910000	data	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Fri Jan 22 03:21:23 2021, atime=Fri Jan 22 03:21:23 2021, length=8192, window=hide	#
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	#
C:\Users\user\Desktop\81910000	data	#

Refusal-376547573-01212021.xlsm

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Refusal-376547573-01212021.xlsm Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

Refusal-376547573-01212021.xlsm