Edit tour

Windows Analysis Report
INVOICE.doc

Overview

General Information

Sample Name:	INVOICE.doc
Analysis ID:	635245
MD5:	0ecb6ed891d173443fa3654c31e14320
SHA1:	6867f37817db501ce103813f791899f3cf1bc1e8
SHA256:	f080b3ba979f854761526f4bc6bd5b8210b48d5f91f15b1a1423849107775e11
Tags:	doc
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Office process drops PE file

PE file has nameless sections

Machine Learning detection for dropped file

Found suspicious RTF objects

Found potential equation exploit (CVE-2017-11882)

Yara signature match

PE file contains strange resources

Drops PE files

PE file contains sections with non-standard names

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6412 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
INVOICE.doc	MAL_RTF_Embedded_OLE_PE	Detects a suspicious string often used in PE files in a hex encoded object stream	Florian Roth	0x177f:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465 0x16e3:$m1: 4d5a90000300000004000000ffff
INVOICE.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1269:$obj2: \objdata 0x207214:$obj2: \objdata 0x3e240c:$obj3: \objupdate 0x8de:$obj4: \objemb 0x206889:$obj4: \objemb

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: INVOICE.doc	Virustotal: Detection: 50%			Perma Link
Source: INVOICE.doc	ReversingLabs: Detection: 19%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe	Virustotal: Detection: 63%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Client.exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Client.exe	ReversingLabs: Detection: 51%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Joe Sandbox ML: detected

Exploits

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 00207238h

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: Client.exe.0.dr

Jump to dropped file

Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.office.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://augloop.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cdn.entity.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cortana.ai
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://cr.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://directory.services.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://graph.windows.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://invites.office.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://login.windows.local
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://management.azure.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://management.azure.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://osi.office.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://roaming.edog.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://tasks.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary

Malicious sample detected (through community Yara rule)

Source: INVOICE.doc, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

PE file has nameless sections

Source: Client.exe.0.dr

Static PE information: section name:

Found suspicious RTF objects

Source: Client.exe

Static RTF information: Object: 0 Offset: 0000128Dh Client.exe

Source: INVOICE.doc, type: SAMPLE	Matched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: INVOICE.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: Client.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Client.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Client.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Client.exe.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Client.exe.0.dr

Static PE information: Section: VU3rezH ZLIB complexity 1.00032784598

Source: INVOICE.doc	Virustotal: Detection: 50%
Source: INVOICE.doc	ReversingLabs: Detection: 19%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{391F884A-0DF2-4CC0-811D-5EA2088E6DC9} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.expl.winDOC@1/9@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: INVOICE.doc

Static file information: File size 4073082 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: Client.exe.0.dr	Static PE information: section name: VU3rezH
Source: Client.exe.0.dr	Static PE information: section name:

Source: initial sample	Static PE information: section name: VU3rezH entropy: 7.99954491412
Source: initial sample	Static PE information: section name: .text entropy: 6.88898241318

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Software Packing	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INVOICE.doc	50%	Virustotal		Browse
INVOICE.doc	20%	ReversingLabs	Document-RTF.Trojan.Injuke

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Client.exe	63%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Client.exe	31%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Client.exe	51%	ReversingLabs	ByteCode-MSIL.Trojan.RealProtect

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://login.microsoftonline.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://shell.suite.office.com:1443	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://autodiscover-s.outlook.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://roaming.edog.	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://cdn.entity.	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://powerlift.acompli.net	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://cortana.ai	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://api.aadrm.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://api.microsoftstream.com/api/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://cr.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://graph.ppe.windows.net	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://officeci.azurewebsites.net/api/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://store.office.cn/addinstemplate	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://globaldisco.crm.dynamics.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://messaging.engagement.office.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://dev0-api.acompli.net/autodetect	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://web.microsoftstream.com/video/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://dataservice.o365filtering.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://ncus.contentsync.	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
http://weather.service.msn.com/data.aspx	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://apis.live.net/v5.0/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://management.azure.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://outlook.office365.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://wus2.contentsync.	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://api.office.net	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://incidents.diagnosticssdf.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://entitlement.diagnostics.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://substrate.office.com/search/api/v2/init	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://outlook.office.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://outlook.office365.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://webshell.suite.office.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://management.azure.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://devnull.onenote.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://ncus.pagecontentsync.	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://messaging.office.com/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://augloop.office.com/v2	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://skyapi.live.net/Activity/	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false		high
https://dataservice.o365filtering.com	55500104-7BA4-450F-B5B6-9FAE4E02D958.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635245
Start date and time: 27/05/202217:49:26	2022-05-27 17:49:26 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INVOICE.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.winDOC@1/9@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.12.22, 52.109.76.34
Excluded domains from analysis (whitelisted): fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\55500104-7BA4-450F-B5B6-9FAE4E02D958

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	147717
Entropy (8bit):	5.359207546988477
Encrypted:	false
SSDEEP:	1536:BcQW/gxgB5B3guw//Q9DQW+zQWk4F77nXmvidQXxUETLKz6e:dHQ9DQW+zIXLI
MD5:	E6E619CAC3C39DDB4DF743FBB9E139B8
SHA1:	F0328034164567F1678649AA8011D8CB0148FA43
SHA-256:	97C06E65DEDC51DC2BEE938FD6EDA3686C703A8D2B426651126407E9BA05EFCF
SHA-512:	F47CB2C0EEFF4D2484FC56E0999177A3D646EDF82E4DB9A89772B16DE27D08E906B037AA2A5A00C31E27FEB068CD98AECC91513EBE8ADB77DF922D0F3404EEBB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-05-27T15:50:41">.. Build: 16.0.15322.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{182A308B-3928-43D2-96AF-DFBDDED8FBB8}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E6ECC2FB-A299-4715-927D-C678F6A7F37A}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	1.1393247452705433
Encrypted:	false
SSDEEP:	6:beKNc1ElClXiKNwDOxRAJgm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiO6Ox2JF5Rmvq5ZP8ZK
MD5:	2508CC81F5E9247B80C4FB3781394285
SHA1:	453AC54E5038EF8D30A585EB885652468B0992A4
SHA-256:	5A1936A4E61EFDCA38F71EE6AE93A7537F589F2A2B2B71D898B2877ECE3374FC
SHA-512:	08A7D69CF5ADD926CB304D49A5B97757FE3CF7EFEB957654EB7718ADF69B46F2A1C40F9973197E71300419ECBD3F1B5EBE40F63C228B6E92EA0075C11E7A86AD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .U.n.k.n.o.w.n.E.M.B.E.D................................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.

C:\Users\user\AppData\Local\Temp\Client.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1019392
Entropy (8bit):	7.463685655107809
Encrypted:	false
SSDEEP:	12288:/M/Vjn7/MEaDBNAU+UY8WiUxjx0Kvd9cHGunMFrER0iONCXtykhWt7mxe4g:/M/VP/MXbL+fTFvMHGuOc0i4CXt5hWE
MD5:	75C0471CCE805B589FDAF81D8D1D646C
SHA1:	28D5C23AB236A28376A64446EECC4B8068E71F51
SHA-256:	8C867636633BAB72230AB4F4123B1B37244A8325B40230947CDFD7EC3CC0C686
SHA-512:	2233A6BC864F0F2705010F2FDF688DB0E72A20A92C16711E63A06FBEE0D9C6D32E31AB70C93CEDA4B40D14D84EC045D65EDCDD97055B4C34DFBB6DE40019E000
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 63%, Browse Antivirus: Metadefender, Detection: 31%, Browse Antivirus: ReversingLabs, Detection: 51%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Lg.b..............0..z................... ....@.. ....................................@.....................................O....@...}..............................................................................................H...........VU3re.zH..... ......................@....text....v.......x.................. ..`.rsrc....}...@...~..................@..@.................................... ..`.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INVOICE.doc.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:48 2022, mtime=Fri May 27 23:50:46 2022, atime=Fri May 27 23:50:35 2022, length=4073082, window=hide
Category:	dropped
Size (bytes):	1038
Entropy (8bit):	4.721773535285337
Encrypted:	false
SSDEEP:	12:8uOwFZtUFuElPCH2GgDMcSYuM+WOHpfcmPHrvjAV/WrDZ4vJUDs+JB5JT4t2Y+x4:8uN8DMPRcmfAVuHZ1DbBbh7aB6m
MD5:	3EA0F315A0A439B5E34C51407CD469C5
SHA1:	37D2487C125033E60E48C1267FACF8AB67D7DEC5
SHA-256:	2133D5285C52293619238103AC07FE60A8EDD1AA9B73DB4DC4265BE33CB46F68
SHA-512:	83F917140E924BDB678418E19856E22EAB15DF251C0E5E8B5046C88F1B8793BF195B860BE26E7D8C2FDE51CB1213C933D59C350B321AB942A9AF567DF5D767A1
Malicious:	true
Preview:	L..................F.... ........3....H.,r....1.,r..z&>..........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...TK.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..TK......S....................s...h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..TK......Y..............>.....Z...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2.z&>..TR. .INVOICE.doc.H......hT...TR.....h.....................b...I.N.V.O.I.C.E...d.o.c.......Q...............-.......P...........>.S......C:\Users\user\Desktop\INVOICE.doc..".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.N.V.O.I.C.E...d.o.c.........:..,.LB.)...As...`.......X.......632922...........!a..%.H.VZAj................-..!a..%.H.VZAj................-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	73
Entropy (8bit):	4.614921998459085
Encrypted:	false
SSDEEP:	3:bDuMJl0XX1zCmX1KzqsX1zCv:bCPxEzqAxs
MD5:	5F789C623A9E8963E95B26CF07AFF5BF
SHA1:	7CD0106ECA31151951F4ADF9AFDB882DA0844F7B
SHA-256:	ACB5F625725B1D77B6E7C1466E32D4227A4A5925BD1B6AB9458B6D3BD9F113F3
SHA-512:	966205B839048F7D90578AD597D4684AC387D5CBDA125F14D71BD45C3D17F4FEDBC232F5F5AA71B009E33CF31987429F7D5EEF90F3E3F484CBEB7B1D2D2BBD9A
Malicious:	false
Preview:	[folders]..Templates.LNK=0..INVOICE.doc.LNK=0..[doc]..INVOICE.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.1150565317044543
Encrypted:	false
SSDEEP:	3:Rl/ZdAltfHXolFVn8Xt7:RtZqdHoHS
MD5:	47F4DEA953CAF4684FDC3334445ACB04
SHA1:	C73E8ABB4806188C2DDF6FA5197CCD10E0743EAB
SHA-256:	EF91A0506BBAA9010B05BAAE67FD1165A83FD2705907EE01B67E3675279EF930
SHA-512:	402EF017DA02EF0B9F874C2697DF81BBC6E7A9164CED5D89CED82D6E523E5AA2EFC16529A96D165E119B11A134B5A70693DF58478C1BCD357CE655DC13FB58A4
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........R:..............................R>.E............................R2.5...........$...

C:\Users\user\Desktop\~$NVOICE.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.1150565317044543
Encrypted:	false
SSDEEP:	3:Rl/ZdAltfHXolFVn8Xt7:RtZqdHoHS
MD5:	47F4DEA953CAF4684FDC3334445ACB04
SHA1:	C73E8ABB4806188C2DDF6FA5197CCD10E0743EAB
SHA-256:	EF91A0506BBAA9010B05BAAE67FD1165A83FD2705907EE01B67E3675279EF930
SHA-512:	402EF017DA02EF0B9F874C2697DF81BBC6E7A9164CED5D89CED82D6E523E5AA2EFC16529A96D165E119B11A134B5A70693DF58478C1BCD357CE655DC13FB58A4
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........R:..............................R>.E............................R2.5...........$...

Static File Info

General

File type:	Rich Text Format data, version 1, unknown character set
Entropy (8bit):	5.05599985084287
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	INVOICE.doc
File size:	4073082
MD5:	0ecb6ed891d173443fa3654c31e14320
SHA1:	6867f37817db501ce103813f791899f3cf1bc1e8
SHA256:	f080b3ba979f854761526f4bc6bd5b8210b48d5f91f15b1a1423849107775e11
SHA512:	608f95fa01b0ecfc45f81f8b1e56539f08aae01f5589e7ce98f150e6e6e580eed1e39910f0b39596bff68b1ce338f9d2cfb6727287ad644ec64bdf34be2e65ac
SSDEEP:	24576:Z+h5y9IA8yaw1fba/f84V6FXjhHavKVp7Ai4q0LD33bqJXCJIoYSUaJbjOpS/iqu:V
TLSH:	1616A431B13439D7C21F0435565FBD89430ABD83A3C66F8C518EFAF91EA69E7630690A
File Content Preview:	{\rtf1{\\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000128Dh	2	embedded	Package	1019559	Client.exe	C:\Path\Client.exe	C:\Path\Client.exe	no
1	00207238h	2	embedded	Equation.3	3072				no

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: WINWORD.EXEPID: 6412, Parent PID: 756

General

Target ID:	0
Start time:	17:50:37
Start date:	27/05/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x800000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INVOICE.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\55500104-7BA4-450F-B5B6-9FAE4E02D958

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{182A308B-3928-43D2-96AF-DFBDDED8FBB8}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E6ECC2FB-A299-4715-927D-C678F6A7F37A}.tmp

C:\Users\user\AppData\Local\Temp\Client.exe

C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INVOICE.doc.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$NVOICE.doc

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: WINWORD.EXEPID: 6412, Parent PID: 756

General

Chronological Activities

Disassembly

Windows Analysis Report
INVOICE.doc