Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zJ2b57acTF.xlsx

Overview

General Information

Sample Name:zJ2b57acTF.xlsx
Analysis ID:659479
MD5:b8a6fb2af1f22213fc469b3fc7d65382
SHA1:bc2d6b81ef00a56dc2fd13fc9a4c90a08d1a5068
SHA256:6d4e5e60b4f6cbc8a6e14343b59c406fe5c7f948aded16d23a0f6ed6984907c2
Tags:CVE-2022-30190Follinaxlsx
Infos:

Detection

Follina CVE-2022-30190
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Yara signature match

Classification

  • System is w10x64
  • EXCEL.EXE (PID: 2300 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
.relsSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x1ae4:$a: PCWDiagnostic
  • 0x1ad8:$sa3: ms-msdt
  • 0x1b57:$sb3: IT_BrowseForFile=
.relsEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x1ac7:$re1: location.href = "ms-msdt:
.relsJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: zJ2b57acTF.xlsxMetadefender: Detection: 22%Perma Link
    Source: zJ2b57acTF.xlsxReversingLabs: Detection: 41%

    Exploits

    barindex
    Source: Yara matchFile source: .rels, type: SAMPLE
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.aadrm.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.cortana.ai
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.office.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.onedrive.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://augloop.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cdn.entity.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cortana.ai
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cortana.ai/api
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://cr.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://directory.services.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://graph.windows.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://graph.windows.net/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://invites.office.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://login.windows.local
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://management.azure.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://management.azure.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.action.office.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.engagement.office.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://messaging.office.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://officeapps.live.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://onedrive.live.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://osi.office.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://otelrules.azureedge.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office365.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://roaming.edog.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://settings.outlook.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://tasks.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: .rels, type: SAMPLEMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20
    Source: .rels, type: SAMPLEMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
    Source: zJ2b57acTF.xlsxMetadefender: Detection: 22%
    Source: zJ2b57acTF.xlsxReversingLabs: Detection: 41%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{A0FEE8F1-61ED-4946-ADC5-6AE44CB8751C} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: classification engineClassification label: mal56.expl.winXLSX@1/2@0/0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    Masquerading
    OS Credential Dumping1
    File and Directory Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
    System Information Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    zJ2b57acTF.xlsx23%MetadefenderBrowse
    zJ2b57acTF.xlsx41%ReversingLabsScript-JS.Exploit.CVE-2022-30190
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://roaming.edog.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://api.aadrm.com0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
      high
      https://login.microsoftonline.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
        high
        https://shell.suite.office.com:1443804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
            high
            https://autodiscover-s.outlook.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
              high
              https://roaming.edog.804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
              • URL Reputation: safe
              unknown
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                high
                https://cdn.entity.804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                      high
                      https://powerlift.acompli.net804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v1804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                        high
                        https://cortana.ai804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                  high
                                  https://api.aadrm.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                        high
                                        https://cr.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                          high
                                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                          • Avira URL Cloud: safe
                                          low
                                          https://portal.office.com/account/?ref=ClientMeControl804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                            high
                                            https://graph.ppe.windows.net804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://api.aadrm.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                      high
                                                      https://messaging.engagement.office.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                        high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                          high
                                                          https://dev0-api.acompli.net/autodetect804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.odwebp.svc.ms804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://api.diagnosticssdf.office.com/v2/feedback804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                            high
                                                            https://api.powerbi.com/v1.0/myorg/groups804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                              high
                                                              https://web.microsoftstream.com/video/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                high
                                                                https://api.addins.store.officeppe.com/addinstemplate804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://graph.windows.net804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                  high
                                                                  https://dataservice.o365filtering.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://officesetup.getmicrosoftkey.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://analysis.windows.net/powerbi/api804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                    high
                                                                    https://prod-global-autodetect.acompli.net/autodetect804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://outlook.office365.com/autodiscover/autodiscover.json804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                      high
                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                        high
                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                          high
                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                            high
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                              high
                                                                              https://ncus.contentsync.804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                high
                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                  high
                                                                                  http://weather.service.msn.com/data.aspx804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                    high
                                                                                    https://apis.live.net/v5.0/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                      high
                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                        high
                                                                                        https://messaging.lifecycle.office.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                          high
                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                            high
                                                                                            https://management.azure.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                high
                                                                                                https://wus2.contentsync.804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                https://incidents.diagnostics.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                  high
                                                                                                  https://clients.config.office.net/user/v1.0/ios804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                    high
                                                                                                    https://insertmedia.bing.office.net/odc/insertmedia804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                      high
                                                                                                      https://o365auditrealtimeingestion.manage.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                        high
                                                                                                        https://outlook.office365.com/api/v1.0/me/Activities804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                          high
                                                                                                          https://api.office.net804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                            high
                                                                                                            https://incidents.diagnosticssdf.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                              high
                                                                                                              https://asgsmsproxyapi.azurewebsites.net/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              https://clients.config.office.net/user/v1.0/android/policies804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                high
                                                                                                                https://entitlement.diagnostics.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                  high
                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                    high
                                                                                                                    https://substrate.office.com/search/api/v2/init804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                      high
                                                                                                                      https://outlook.office.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                        high
                                                                                                                        https://storage.live.com/clientlogs/uploadlocation804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                          high
                                                                                                                          https://outlook.office365.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                            high
                                                                                                                            https://webshell.suite.office.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                              high
                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                high
                                                                                                                                https://substrate.office.com/search/api/v1/SearchHistory804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://management.azure.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://messaging.lifecycle.office.com/getcustommessage16804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://clients.config.office.net/c2r/v1.0/InteractiveInstallation804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://graph.windows.net/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://api.powerbi.com/beta/myorg/imports804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://devnull.onenote.com804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://messaging.action.office.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://ncus.pagecontentsync.804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://messaging.office.com/804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://augloop.office.com/v2804B232B-F5B7-40B7-9B79-A747BDD996CB.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          No contacted IP infos
                                                                                                                                                          Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                          Analysis ID:659479
                                                                                                                                                          Start date and time: 08/07/202208:38:372022-07-08 08:38:37 +02:00
                                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 4m 31s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Sample file name:zJ2b57acTF.xlsx
                                                                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                          Run name:Potential for more IOCs and behavior
                                                                                                                                                          Number of analysed new started processes analysed:28
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • HDC enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal56.expl.winXLSX@1/2@0/0
                                                                                                                                                          EGA Information:Failed
                                                                                                                                                          HDC Information:Failed
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .xlsx
                                                                                                                                                          • Adjust boot time
                                                                                                                                                          • Enable AMSI
                                                                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                          • Attach to Office via COM
                                                                                                                                                          • Scroll down
                                                                                                                                                          • Close Viewer
                                                                                                                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.109.76.141, 52.109.88.40, 52.109.88.39
                                                                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • VT rate limit hit for: zJ2b57acTF.xlsx
                                                                                                                                                          No simulations
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          No context
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):149155
                                                                                                                                                          Entropy (8bit):5.356541410467761
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:JcQW/gxgB5BQguw5/Q9DQC+zQWk4F77nXmvid3Xx5ETLKz6e:QJQ9DQC+zPXwI
                                                                                                                                                          MD5:35706A3B22BEB1BC66FAC0E768F1D886
                                                                                                                                                          SHA1:19E3DDBD78EC43E94F1FA2D45FD5155869A65699
                                                                                                                                                          SHA-256:5E34998B9025FE6D4A1823AED6E957FB2F238048A54F1EEBF6B19F77652B6872
                                                                                                                                                          SHA-512:EAD4360A43943E946BA8F2128E597A8C0CAE36B0C869622FB68472898E0D40EBFE1E5EAECBF55EADE629A9233DDC7711BAF8CDC12EFEF24D70C34AAF3E533342
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-07-08T06:39:45">.. Build: 16.0.15505.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):165
                                                                                                                                                          Entropy (8bit):1.6081032063576088
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                          MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                          SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                          SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                          SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                          Malicious:true
                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                          Preview:.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          File type:Microsoft OOXML
                                                                                                                                                          Entropy (8bit):7.2242451103796474
                                                                                                                                                          TrID:
                                                                                                                                                          • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                          • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                          File name:zJ2b57acTF.xlsx
                                                                                                                                                          File size:13955
                                                                                                                                                          MD5:b8a6fb2af1f22213fc469b3fc7d65382
                                                                                                                                                          SHA1:bc2d6b81ef00a56dc2fd13fc9a4c90a08d1a5068
                                                                                                                                                          SHA256:6d4e5e60b4f6cbc8a6e14343b59c406fe5c7f948aded16d23a0f6ed6984907c2
                                                                                                                                                          SHA512:3830c5a98c28dae095bd2f44bfa29e27a856f92d3fb5d71bc2170f9d2995d9eb011cea50f84c6487e63f574ae872dd49d6ef0d8b13200c08029b5604393d4c04
                                                                                                                                                          SSDEEP:192:44wboitZCnzIb3UuwVemtGa4cV2s7SlUcwNClk0UNaO8Ibwiu4W8+j4sjt/siAe:44p3zI38jV2s7SluQoPKGW8q4sjFsiAe
                                                                                                                                                          TLSH:39528E1AC127A03DF273807AC20929E6DD9D22079135A40FB0A0B6CD68D2BDB579F75F
                                                                                                                                                          File Content Preview:PK........e..T..7HL...5......._rels/.rels.._k.0.........}..6...n.....Z....."..Zd.H7K..w.......OC...............'.h...^...8..qE..F../.E.NK...|......wx.V"..KSGF..s^"..BDUB%c.kp.3...H.P.Z..,@...~..%...0...y..}.F..6a...(8.jV..5G.X 8..W.z?..Hx....k.nh9.Y....X.
                                                                                                                                                          Icon Hash:74ecd0d2d6d6d0dc
                                                                                                                                                          No network behavior found

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:08:39:42
                                                                                                                                                          Start date:08/07/2022
                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                          Imagebase:0xab0000
                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          No disassembly