Edit tour

Windows Analysis Report
cbH3TvDB3v.doc

Overview

General Information

Sample Name:	cbH3TvDB3v.doc
Analysis ID:	647425
MD5:	4d5da2273e2d7cce6ac37027afd286af
SHA1:	85a659971ad5aea58ff20a078532e688f7e1659b
SHA256:	5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
Tags:	matanbuchusmsisignedWesteastTechConsultingCorp
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains OLE streams with names of living off the land binaries

PE / OLE file has an invalid certificate

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6804 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: cbH3TvDB3v.doc

Virustotal: Detection: 12%

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: winword.exe

Memory has grown: Private usage: 0MB later: 63MB

Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: cbH3TvDB3v.doc, ~DFE82BBEEE0183323C.TMP.0.dr, ~WRD0000.doc.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.aadrm.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.office.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.onedrive.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://augloop.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cdn.entity.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cortana.ai/api
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://cr.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://directory.services.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://graph.windows.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://graph.windows.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://invites.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://login.windows.local
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://management.azure.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://management.azure.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://messaging.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://officeapps.live.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://onedrive.live.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://osi.office.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office365.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://roaming.edog.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://settings.outlook.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://tasks.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary

Document contains OLE streams with names of living off the land binaries

Source: cbH3TvDB3v.doc	Stream path '\x18496\x16191\x17783\x17516\x15210\x17892\x18468' : NameTableTypeColumnIdentifier_ValidationValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;CustomSource;Property;Cabinet;Shortcut;FormattedSDDLText;Integer;DoubleInteger;TimeDate;DefaultDirString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Titl
Source: ~DFE82BBEEE0183323C.TMP.0.dr	Stream path '\x18496\x16191\x17783\x17516\x15210\x17892\x18468' : NameTableTypeColumnIdentifier_ValidationValueNPropertyId_SummaryInformationDescriptionSetCategoryKeyTableMaxValueNullableKeyColumnMinValueName of tableName of columnY;NWhether the column is nullableYMinimum value allowedMaximum value allowedFor foreign key, Name of table to which data must linkColumn to which foreign key connectsText;Formatted;Template;Condition;Guid;Path;Version;Language;Identifier;Binary;UpperCase;LowerCase;Filename;Paths;AnyPath;WildCardFilename;RegPath;CustomSource;Property;Cabinet;Shortcut;FormattedSDDLText;Integer;DoubleInteger;TimeDate;DefaultDirString categoryTextSet of values that are permittedDescription of columnAdminExecuteSequenceActionName of action to invoke, either in the engine or the handler DLL.ConditionOptional expression which skips the action if evaluates to expFalse.If the expression syntax is invalid, the engine will terminate, returning iesBadActionData.SequenceNumber that determines the sort order in which the actions are to be executed. Leave blank to suppress action.AdminUISequenceAdvtExecuteSequenceComponentPrimary key used to identify a particular component record.ComponentIdGuidA string GUID unique to this component, version, and language.Directory_DirectoryRequired key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the Directory table.AttributesRemote execution option, one of irsEnumA conditional statement that will disable this component if the specified condition evaluates to the 'True' state. If a component is disabled, it will not be installed, regardless of the 'Action' state associated with the component.KeyPathFile;Registry;ODBCDataSourceEither the primary key into the File table, Registry table, or ODBCDataSource table. This extract path is stored when the component is installed, and is used to detect the presence of the component and to return the path to it.CustomActionPrimary key, name of action, normally appears in sequence table unless private use.The numeric custom action type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetFormattedExcecution parameter, depends on the type of custom actionExtendedTypeA numeric custom action type that extends code type or option flags of the Type column.Unique identifier for directory entry, primary key. If a property by this name is defined, it contains the full path to the directory.Directory_ParentReference to the entry in this table specifying the default parent directory. A record parented to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.FeaturePrimary key used to identify a particular feature record.Feature_ParentOptional key of a parent record in the same table. If the parent is not selected, then the record will not be installed. Null indicates a root item.Titl

Source: cbH3TvDB3v.doc

Static PE information: invalid certificate

Source: cbH3TvDB3v.doc	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFE82BBEEE0183323C.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: cbH3TvDB3v.doc

Virustotal: Detection: 12%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{944E30E7-F839-4F57-808E-44253C669FE6} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: classification engine

Classification label: mal52.winDOC@1/16@0/0

Source: cbH3TvDB3v.doc	OLE document summary: edited time not present or 0
Source: ~DFE82BBEEE0183323C.TMP.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: cbH3TvDB3v.doc.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\cbH3TvDB3v.doc

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: cbH3TvDB3v.doc

Initial sample: OLE summary comments = Adobe Font Pack

Source: cbH3TvDB3v.doc

Initial sample: OLE summary template = Intel;1033

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: cbH3TvDB3v.doc

Initial sample: OLE summary keywords = Installer

Source: cbH3TvDB3v.doc

Initial sample: OLE summary subject = Adobe Font Pack 3.0.12.9

Source: cbH3TvDB3v.doc

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Source: cbH3TvDB3v.doc	Stream path '\x16944\x17191\x14436\x16830\x16740' entropy: 7.99804442398 (max. 8.0)
Source: ~DFE82BBEEE0183323C.TMP.0.dr	Stream path '\x16944\x17191\x14436\x16830\x16740' entropy: 7.99804442398 (max. 8.0)

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Extra Window Memory Injection	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cbH3TvDB3v.doc	12%	Virustotal		Browse
cbH3TvDB3v.doc	3%	Metadefender		Browse
cbH3TvDB3v.doc	5%	ReversingLabs	Win32.Trojan.Matanbuchus

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://login.microsoftonline.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://shell.suite.office.com:1443	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://autodiscover-s.outlook.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://roaming.edog.	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://cdn.entity.	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://powerlift.acompli.net	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://cortana.ai	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://api.aadrm.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://api.microsoftstream.com/api/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://cr.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://graph.ppe.windows.net	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://officeci.azurewebsites.net/api/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://store.office.cn/addinstemplate	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://globaldisco.crm.dynamics.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://messaging.engagement.office.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://dev0-api.acompli.net/autodetect	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://web.microsoftstream.com/video/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://dataservice.o365filtering.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://ncus.contentsync.	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
http://weather.service.msn.com/data.aspx	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://apis.live.net/v5.0/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://messaging.lifecycle.office.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://management.azure.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://outlook.office365.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://wus2.contentsync.	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://api.office.net	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://incidents.diagnosticssdf.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://entitlement.diagnostics.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://substrate.office.com/search/api/v2/init	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://outlook.office.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://outlook.office365.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://webshell.suite.office.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://management.azure.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://devnull.onenote.com	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://messaging.action.office.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://ncus.pagecontentsync.	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://messaging.office.com/	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high
https://augloop.office.com/v2	CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	647425
Start date and time: 17/06/202208:42:28	2022-06-17 08:42:28 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	cbH3TvDB3v.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winDOC@1/16@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.88.191, 52.109.88.39, 52.109.76.34
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	148957
Entropy (8bit):	5.356715542423569
Encrypted:	false
SSDEEP:	1536:XcQW/gxgB5BQguw5/Q9DQC+zQWk4F77nXmvid3Xx4ETLKz6e:GJQ9DQC+zPXLI
MD5:	2510FB245D23B7ACECCE54E81C3173A5
SHA1:	69CCB686B4A37E668C53BC9831AD807E9F9B8F55
SHA-256:	FD3C7A35B7D9FF9E5AF3C0C49C126326B69BB65E634D2C2D5DE8B71DE3896ECB
SHA-512:	B2CB50D51A0FB6EEFD9BCEF64B2793B678F75D6846E40BCE94BBA84E2DE575D60608C506DBE7CA40D9B15CD5584A719D3AB74C40D829A0A61F7D9AB9F2E32199
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-17T06:43:40">.. Build: 16.0.15414.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0000.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	458752
Entropy (8bit):	4.735992448126498
Encrypted:	false
SSDEEP:	6144:R9pfkFilPaCymEsnOammmZmyPQGzzDiYIEjEPJDkBhQuaVuzyyVqZ0VDN7Axv1pb:Rrfk/sEsnOEmZkGziYjKG8yzVU0
MD5:	2C989C2AE2B1DAFAB5DB082552AE7F66
SHA1:	AE0EE664217D93637263E4D08F85B9C1272E6C88
SHA-256:	A55D6F948C8D4B264A534AE18F76D5F0C3D81DF09BE67CBDE8025F0F06BD7552
SHA-512:	79A75D89CE0C6C0ADF7A3D36203C8B6744F2DFA31CB48204BD4C82F3B8EF96B9B6DF5766607083A84BCB28ABD3C651C758EDEAD77BD739B00B4ED5CD8711E3FE
Malicious:	false
Reputation:	low
Preview:	................................................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{327BF051-2C37-41E3-8183-EDDFCBD2B5C5}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.36904766090109
Encrypted:	false
SSDEEP:	3:IiiiiiiiiiVeldI43lnl/bl//l/fl/9vvvvvvvvvvFl/l/lAqsDNjPl3lldHzlbB:Iiiiiiiiii8l+4cc8++lwG3q8l/n
MD5:	19D80492DAF4E3E894A38327E7FD409B
SHA1:	BEC61FFC0A61B88432323D1A274F8216541C067A
SHA-256:	04B6C43051D464AB41D5FC8002B153DF0D3BFBEA5434D60F39E18DB9AAF19EFD
SHA-512:	A9C496C1614453E43BA528E03B3B5473218009057B6F7B84A567D909A4AB8FAC5FB3880E865AADC60612AF3F702DEDA9CD52FAB698C17EC7A1909346F2CFDD80
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...p.r.a.t.e.s.h...p....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......>...B...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D2BD1A0C-0F0D-4881-AD92-A7EF1FBC8E71}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0258E66BF876B8C5.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8EC971471F55E58D.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9EB3B20486B0AF64.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBBBC0FD9D34D6548.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD09D1702729436C4.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE82BBEEE0183323C.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Font Pack 3.0.12.9, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Font Pack, Template: Intel;1033, Revision Number: {20BC971C-913C-4948-9C90-6E85B0BF418C}, Create Time/Date: Thu Jun 16 10:55:20 2022, Last Saved Time/Date: Thu Jun 16 10:55:20 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	7.61117273001489
Encrypted:	false
SSDEEP:	6144:zi4SAoa1aq9oOGwFVL4/QUDDNHdOxOzd5:zi4SAoal9ogFVCDnNHdO+3
MD5:	4D5DA2273E2D7CCE6AC37027AFD286AF
SHA1:	85A659971AD5AEA58FF20A078532E688F7E1659B
SHA-256:	5DCBFFEF867B44BBB828CFB4A21C9FB1FA3404B4D8B6F4E8118C62ADDBF859DA
SHA-512:	8BFEA7FA9DE79312239C1B4F042E3955D31A12483DD7770F71F145FC8ABD3DEBA35257386F1D3048B3203945017494317E237AD887039CF4B5547103EB2E03C1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE8B0535EAC1A263D.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cbH3TvDB3v.doc.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:42 2022, mtime=Fri Jun 17 14:43:44 2022, atime=Fri Jun 17 14:43:35 2022, length=229376, window=hide
Category:	dropped
Size (bytes):	1055
Entropy (8bit):	4.700257951367736
Encrypted:	false
SSDEEP:	24:86qKGIvo0vPqv4uBJZEmA6NPdDq+7aB6m:8RKxqRrid6NPo3B6
MD5:	15933AAB19C0337DBA82D766908E6AF2
SHA1:	3CA968BB2DC7235300CB69164333700FF233D918
SHA-256:	2692CEE60B4B5C9F7641EBC8B0881804DA6A01FB7ECB818329437B414644FAD7
SHA-512:	4046E27EAB8A5F88833B9A0F8FE5B3C4D1103CEACF162E4296822FE37DBECD38F40972FAD2F2E30C4CF5582E4DA3F3FBD8DD063642E29D9144C5028A919F8EA3
Malicious:	true
Preview:	L..................F.... ...t;...3..9...a...Y.?.a................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...Ti}....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..Ti}.....S.....................I..h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..Ti}.....Y..............>......r..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2......Tr} .CBH3TV~1.DOC..N......hT...Tr}....h.......................}.c.b.H.3.T.v.D.B.3.v...d.o.c.......T...............-.......S...........>.S......C:\Users\user\Desktop\cbH3TvDB3v.doc..%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.b.H.3.T.v.D.B.3.v...d.o.c.........:..,.LB.)...As...`.......X.......910646...........!a..%.H.VZAj...`............-..!a..%.H.VZAj...`............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	79
Entropy (8bit):	4.687036768267084
Encrypted:	false
SSDEEP:	3:bDuMJle+QTAYzCmX1QkVQTAYzCv:bC8GAYzOkVGAYzs
MD5:	698C9516E53E9B14CC5A6894CAE112DA
SHA1:	310A0A506923830A33D53A7934EBC88C4BE907E7
SHA-256:	6D7B0F520930BF8BB706A6EED901AC25F7122594B6AACA5C38CB8F90902BAB8D
SHA-512:	B87C80FF09B00817F048D767220816A8C2002844E2E99F4220B7A5F91B31968B79C8AA3EA55577D16D9B2DECC27431A87CF6ACF2E0349D3CAB0FA5860B2679ED
Malicious:	false
Preview:	[folders]..Templates.LNK=0..cbH3TvDB3v.doc.LNK=0..[doc]..cbH3TvDB3v.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.235999604145688
Encrypted:	false
SSDEEP:	3:Rl/ZdUUZiulqKBLlbll1lqKN8ltlt/Z:RtZVi7aLzgW8lb
MD5:	B2787B2009A743872DA0B0BCCFFDF18D
SHA1:	5F4EFA9CDE8577BCA9C79A7E9D0C5734911D6E1F
SHA-256:	D97C9ADA642D02387874F4240FE1494B8CB9502A5C1FF47EA6067C20409254CB
SHA-512:	478BD871756926C69D3A178A39861BB4E5330A30CF0F6A8715B875747D8E255EC1C222E2421B300C2FBABE0FC288DF1387E39F3635ED5C330BBC33DCE96A5C76
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........`...............$.......6C......d...............T.......6C......h...................

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$H3TvDB3v.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.235999604145688
Encrypted:	false
SSDEEP:	3:Rl/ZdUUZiulqKBLlbll1lqKN8ltlt/Z:RtZVi7aLzgW8lb
MD5:	B2787B2009A743872DA0B0BCCFFDF18D
SHA1:	5F4EFA9CDE8577BCA9C79A7E9D0C5734911D6E1F
SHA-256:	D97C9ADA642D02387874F4240FE1494B8CB9502A5C1FF47EA6067C20409254CB
SHA-512:	478BD871756926C69D3A178A39861BB4E5330A30CF0F6A8715B875747D8E255EC1C222E2421B300C2FBABE0FC288DF1387E39F3635ED5C330BBC33DCE96A5C76
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h.........`...............$.......6C......d...............T.......6C......h...................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Adobe Font Pack 3.0.12.9, Author: Adobe Inc., Keywords: Installer, Comments: Adobe Font Pack, Template: Intel;1033, Revision Number: {20BC971C-913C-4948-9C90-6E85B0BF418C}, Create Time/Date: Thu Jun 16 10:55:20 2022, Last Saved Time/Date: Thu Jun 16 10:55:20 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.61117273001489
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	cbH3TvDB3v.doc
File size:	229376
MD5:	4d5da2273e2d7cce6ac37027afd286af
SHA1:	85a659971ad5aea58ff20a078532e688f7e1659b
SHA256:	5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da
SHA512:	8bfea7fa9de79312239c1b4f042e3955d31a12483dd7770f71f145fc8abd3deba35257386f1d3048b3203945017494317e237ad887039cf4b5547103eb2e03c1
SSDEEP:	6144:zi4SAoa1aq9oOGwFVL4/QUDDNHdOxOzd5:zi4SAoal9ogFVCDnNHdO+3
TLSH:	1E24024A7B044538D01667392FDBF6E687367C8C8EAB49526297F32C2DB31A051735F8
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	5/17/2022 5:00:00 PM 5/11/2023 4:59:59 PM
Subject Chain	CN="Westeast Tech Consulting, Corp.", O="Westeast Tech Consulting, Corp.", L=NORTHRIDGE, S=California, C=US, SERIALNUMBER=4088386, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	0E4E3D01B136D4F9120A1333A90F111F
Thumbprint SHA-1:	2A40875C895B648C9583925C7DAD694A2A11D7DD
Thumbprint SHA-256:	9ED703BA7033AF5F88A5F5EF0155ADC41715D3175EEC836822A09A93D56E4B7F
Serial:	061A27A3A3771BB440FC16CADF2675C4

OLE File "cbH3TvDB3v.doc"

Indicators

Has Summary Info:
Application Name:	Windows Installer XML Toolset (3.11.2.4516)
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1252
Title:	Installation Database
Subject:	Adobe Font Pack 3.0.12.9
Author:	Adobe Inc.
Keywords:	Installer
Comments:	Adobe Font Pack
Template:	Intel;1033
Revion Number:	{20BC971C-913C-4948-9C90-6E85B0BF418C}
Create Time:	2022-06-16 09:55:20
Last Saved Time:	2022-06-16 09:55:20
Number of Pages:	200
Number of Words:	10
Creating Application:	Windows Installer XML Toolset (3.11.2.4516)
Security:	2

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 4773

General
Stream Path:	\x5DigitalSignature
File Type:	data
Stream Size:	4773
Entropy:	7.602282152400635
Base64 Encoded:	True
Data ASCII:	0 . . . * H . . . . . 0 . . . . 1 . 0 . . . ` H . e . . . . . . 0 w . . + . . . . 7 . . . i 0 g 0 2 . . + . . . . 7 . . . 0 $ . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . 0 1 0 . . . ` H . e . . . . . . . Q V . 6 . K e . 0 7 ] x * . } { * y . . 0 . 0 . . . . . . . . @ ` . L ^ . 0 . . . * H . . . . . . 0 b 1 . 0 . . . U . . . . U S 1 . 0 . . . U . . . . D i g i C e r t I n c 1 . 0 . . . U . . . . w w w . d i g i c e r t . c o m 1 ! 0 . . . U . . . . D i g i C e r t T r u s t e d
Data Raw:	30 82 12 a1 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 12 92 30 82 12 8e 02 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 30 77 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 69 30 67 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32

General
Stream Path:	\x5MsiDigitalSignatureEx
File Type:	data
Stream Size:	32
Entropy:	4.9375
Base64 Encoded:	False
Data ASCII:	. n d 1 y l I . I o u + F . A 3 e . j
Data Raw:	bd b2 d8 98 6e 64 31 79 6c c0 49 15 49 a3 bb 6f e3 75 2b 86 46 05 41 88 d4 33 65 fb cc a7 c2 6a

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 476

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	476
Entropy:	4.474418592431077
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l a t i o n D a t a b a s e . . . . . . . . . . . A d o b e F o n t P a c k 3 . 0 . 1 2 . 9 . . . . . . . . . . . . A d o b e I n c . . . . . . . . . . . I n s
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 a0 00 00 00 04 00 00 00 c4 00 00 00 05 00 00 00 d8 00 00 00 06 00 00 00 ec 00 00 00 07 00 00 00 04 01 00 00 09 00 00 00 18 01 00 00 0c 00 00 00 48 01 00 00

Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 185059 bytes, 2 files, Stream Size: 185059

General
Stream Path:	\x16944\x17191\x14436\x16830\x16740
File Type:	Microsoft Cabinet archive data, 185059 bytes, 2 files
Stream Size:	185059
Entropy:	7.998044423977934
Base64 Encoded:	True
Data ASCII:	M S C F . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . ` . . . . . . . . D . . . . . . . . T ' o . m a i n _ d l l . D . . . . D . . . . T 8 M . n o t i f y _ v b s . } 8 . C K \| . \\ U . z K . , Z n . h e . . + . + 3 . S @ $ . ) . g p . [ . m l F . . . * . Q . ^ . . . \| . . . < . 9 _ u y i . + . . . . W K t 6 k e ; - . . . . ; o y g N s b L l 3 . ~ h \| 9 n . i . R = \\ . . ; x X . 5 ~ r . . . e . h . ~ k Q . \\ V . ] \\ & = 3 5 W s O . . . . . { . ^ ; ] . p . . . + . . . . W O . a . . . . 1 W
Data Raw:	4d 53 43 46 00 00 00 00 e3 d2 02 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 02 00 00 00 00 00 00 00 60 00 00 00 0d 00 01 00 00 44 06 00 00 00 00 00 00 00 ce 54 27 6f 20 00 6d 61 69 6e 5f 64 6c 6c 00 44 00 00 00 00 44 06 00 00 00 d0 54 38 4d 20 00 6e 6f 74 69 66 79 5f 76 62 73 00 7d 97 9e fa 95 38 00 80 43 4b ec 7c 7f 5c 55 f5 fd ff c5 0b 7a 4b 14 2c 5a 6e 1f b7 68 b9 65 cb

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 656

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	656
Entropy:	4.728156136205491
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . + . + . + . + . 1 . 1 . 1 . 9 . 9 . 9 . 9 . 9 . I . I . I . I . I . I . I . I . X . X . ] . ] . ] . ] . ] . ] . ] . ] . k . k . k . l . l . l . m . m . m . m . m . m . x . x . z . z . z . z . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . #
Data Raw:	07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 31 00 31 00 31 00 39 00 39 00 39 00 39 00 39 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 58 00 58 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 6b 00 6b 00 6b 00 6c 00 6c 00 6c 00 6d 00 6d 00 6d 00 6d 00 6d 00 6d 00 78 00

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 6703

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ASCII text, with very long lines, with no line terminators
Stream Size:	6703
Entropy:	4.830396384462009
Base64 Encoded:	True
Data ASCII:	N a m e T a b l e T y p e C o l u m n I d e n t i f i e r _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y T a b l e M a x V a l u e N u l l a b l e K e y C o l u m n M i n V a l u e N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
Data Raw:	4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 49 64 65 6e 74 69 66 69 65 72 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 54 61 62 6c 65 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 43 6f 6c 75

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 852

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	852
Entropy:	3.2751779270113106
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . . . . . . . . . . . . . . . . . . . . . . :
Data Raw:	00 00 00 00 04 00 02 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0a 00 1b 00 0b 00 15 00 05 00 05 00 01 00 2d 00 0a 00 01 00 13 00 02 00 0b 00 04 00 03 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 27 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 07 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 34

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	34
Entropy:	3.043731420625169
Base64 Encoded:	False
Data ASCII:	. . " . ) . * . + . 1 . 9 . I . X . ] . k . l . m . x . z . . .
Data Raw:	07 00 22 00 29 00 2a 00 2b 00 31 00 39 00 49 00 58 00 5d 00 6b 00 6c 00 6d 00 78 00 7a 00 85 00 8f 00

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2016

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	2016
Entropy:	2.3834058956899153
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . + . + . + . + . 1 . 1 . 1 . 9 . 9 . 9 . 9 . 9 . I . I . I . I . I . I . I . I . X . X . ] . ] . ] . ] . ] . ] . ] . ] . k . k . k . l . l . l . m . m . m . m . m . m . x . x . z . z . z . z . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . % . + . - . 0 . 3 . 6 . 1 . E . G . . . # . < . ? . B . . . 0 . 3 . I . K . M . P . R . Y . [ . ' . 3 . [ . ] . `
Data Raw:	07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 07 00 0b 00 0b 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 31 00 31 00 31 00 39 00 39 00 39 00 39 00 39 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 49 00 58 00 58 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 5d 00 6b 00 6b 00 6b 00 6c 00 6c 00 6c 00 6d 00 6d 00 6d 00 6d 00 6d 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	48
Entropy:	3.0684210940655055
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . x . < .
Data Raw:	9a 00 9b 00 9c 00 9d 00 9e 00 9f 00 a0 00 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	24
Entropy:	2.594360937770434
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . .
Data Raw:	9a 00 9b 00 9c 00 a2 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	42
Entropy:	2.865948479683034
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . x . . .
Data Raw:	9a 00 9c 00 9d 00 9e 00 a1 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	. .
Data Raw:	b2 00 a5 00

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	32
Entropy:	2.472874329980682
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . .
Data Raw:	b2 00 b3 00 b3 00 00 00 b4 00 b6 00 b5 00 00 00 02 80 01 80 01 80 01 80 00 00 a7 00 00 80 00 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	14
Entropy:	1.626688849701832
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . .
Data Raw:	01 80 02 00 00 80 00 00 c6 00 00 00 00 00

Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x16923\x17194\x17910\x18229
File Type:	data
Stream Size:	12
Entropy:	2.617492461184755
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	a8 00 01 80 d2 00 d3 00 d4 00 a5 00

Stream Path: \x18496\x16923\x17584\x16953\x17167\x16943, File Type: data, Stream Size: 10

General
Stream Path:	\x18496\x16923\x17584\x16953\x17167\x16943
File Type:	data
Stream Size:	10
Entropy:	1.9609640474436814
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	a7 00 a5 00 00 00 a7 00 02 80

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	18
Entropy:	2.102187170949333
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . .
Data Raw:	a7 00 ad 00 af 00 ad 00 af 00 00 00 ae 00 b0 00 b1 00

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 40

General
Stream Path:	\x18496\x17167\x16943
File Type:	data
Stream Size:	40
Entropy:	2.6659614479285128
Base64 Encoded:	False
Data ASCII:	. . . . . . . D . D . . . . . . . . . . . . . . . .
Data Raw:	b7 00 bb 00 a5 00 a5 00 b8 00 bc 00 00 44 06 80 44 00 00 80 b9 00 00 00 ba 00 00 00 00 82 00 82 01 00 00 80 02 00 00 80

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 120

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	120
Entropy:	3.6961843239779912
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . ( p . y
Data Raw:	9a 00 9b 00 9c 00 9d 00 9e 00 a0 00 a1 00 a3 00 a4 00 a9 00 ab 00 bd 00 be 00 bf 00 c0 00 c1 00 c2 00 c3 00 c4 00 c5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 9c 98 00 99 ca 99 c9 99 bc 82 40 86 08 87 28 8a ac 8d 88 93 70 97 d4 97 79 85

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 30

General
Stream Path:	\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	30
Entropy:	2.794949047732144
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . .
Data Raw:	9a 00 9b 00 9c 00 a2 00 bd 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 bc 82

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	data
Stream Size:	12
Entropy:	2.292481250360578
Base64 Encoded:	False
Data ASCII:	. . . . . . .
Data Raw:	a5 00 a6 00 a7 00 04 80 00 00 a8 00

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 24

General
Stream Path:	\x18496\x17753\x17650\x17768\x18231
File Type:	data
Stream Size:	24
Entropy:	2.792481250360579
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . .
Data Raw:	c7 00 c9 00 cb 00 cc 00 ce 00 d0 00 c8 00 ca 00 ba 00 cd 00 cf 00 d1 00

Stream Path: \x18496\x17814\x15340\x17388\x15464\x17828\x18475, File Type: data, Stream Size: 20

General
Stream Path:	\x18496\x17814\x15340\x17388\x15464\x17828\x18475
File Type:	data
Stream Size:	20
Entropy:	4.1219280948873624
Base64 Encoded:	False
Data ASCII:	. . . . A Q f y .
Data Raw:	bb 00 00 80 03 08 aa ac 8d ab 8a e9 de 41 f5 51 66 79 bb 1b

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 24

General
Stream Path:	\x18496\x17932\x17910\x17458\x16778\x17207\x17522
File Type:	data
Stream Size:	24
Entropy:	2.1140054628542204
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . .
Data Raw:	a9 00 ab 00 e2 80 e2 80 a7 00 a7 00 aa 00 ac 00 00 00 00 00 00 00 00 00

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: WINWORD.EXEPID: 6804, Parent PID: 756

General

Target ID:	0
Start time:	08:43:36
Start date:	17/06/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x1270000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cbH3TvDB3v.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CE85CDA7-9E87-44BF-B16F-1078AF3ADBE3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0000.doc

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{327BF051-2C37-41E3-8183-EDDFCBD2B5C5}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D2BD1A0C-0F0D-4881-AD92-A7EF1FBC8E71}.tmp

C:\Users\user\AppData\Local\Temp\~DF0258E66BF876B8C5.TMP

C:\Users\user\AppData\Local\Temp\~DF8EC971471F55E58D.TMP

C:\Users\user\AppData\Local\Temp\~DF9EB3B20486B0AF64.TMP

C:\Users\user\AppData\Local\Temp\~DFBBBC0FD9D34D6548.TMP

C:\Users\user\AppData\Local\Temp\~DFD09D1702729436C4.TMP

C:\Users\user\AppData\Local\Temp\~DFE82BBEEE0183323C.TMP

C:\Users\user\AppData\Local\Temp\~DFE8B0535EAC1A263D.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\cbH3TvDB3v.doc.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$H3TvDB3v.doc

Static File Info

General

File Icon

Static OLE Info

General

Authenticode Signature

OLE File "cbH3TvDB3v.doc"

Indicators

Summary

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 4773

General

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 32

General

Windows Analysis Report
cbH3TvDB3v.doc