Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf
Analysis ID:	680530
MD5:	a5b0c571197ee2931e12f11caf138eff
SHA1:	a4355fe45e321b99274f8000c5ac9c08f7146b28
SHA256:	00915bcbff87b2e195e1547df8e1944cadcdc6aa46beb130bd5a960dff01c7e3
Tags:	rtf
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Office process drops PE file

PE file has nameless sections

Machine Learning detection for dropped file

Found suspicious RTF objects

Found potential equation exploit (CVE-2017-11882)

PE file contains section with special chars

Yara signature match

Drops PE files

PE file contains sections with non-standard names

Found dropped PE file which has not been started or loaded

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 5144 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf	MAL_RTF_Embedded_OLE_PE	Detects a suspicious string often used in PE files in a hex encoded object stream	Florian Roth	0x178c:$a1: 546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465 0x16f0:$m1: 4d5a90000300000004000000ffff
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1276:$obj2: \objdata 0x1e867e:$obj2: \objdata 0x2c8c94:$obj3: \objupdate 0x8e3:$obj4: \objemb 0x1e7ceb:$obj4: \objemb

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Client.exe

Joe Sandbox ML: detected

Exploits

Found potential equation exploit (CVE-2017-11882)

Source:

Static RTF information: Object: 1 Offset: 001E86A2h

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: Client.exe.0.dr

Jump to dropped file

Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.aadrm.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.cortana.ai
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.office.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.onedrive.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://augloop.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cdn.entity.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cortana.ai
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cortana.ai/api
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://cr.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://directory.services.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://graph.windows.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://graph.windows.net/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://invites.office.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://login.windows.local
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://management.azure.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://management.azure.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://messaging.office.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://officeapps.live.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://onedrive.live.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://osi.office.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office365.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://roaming.edog.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://settings.outlook.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://tasks.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

PE file has nameless sections

Source: Client.exe.0.dr

Static PE information: section name:

Found suspicious RTF objects

Source: Client.exe

Static RTF information: Object: 0 Offset: 0000129Ah Client.exe

PE file contains section with special chars

Source: Client.exe.0.dr

Static PE information: section name: sn=><v

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE	Matched rule: MAL_RTF_Embedded_OLE_PE date = 2018-01-22, author = Florian Roth, description = Detects a suspicious string often used in PE files in a hex encoded object stream, reference = https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: Client.exe.0.dr

Static PE information: Section: sn=><v ZLIB complexity 1.000335151627219

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{4B604896-050E-40FE-8028-EE011E929FDA} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal88.expl.winRTF@1/9@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf

Static file information: File size 2920194 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: Client.exe.0.dr	Static PE information: section name: sn=><v
Source: Client.exe.0.dr	Static PE information: section name:

Source: initial sample

Static PE information: section name: sn=><v entropy: 7.999482172506492

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Client.exe

Jump to dropped file

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Software Packing	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Client.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://login.microsoftonline.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://shell.suite.office.com:1443	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://autodiscover-s.outlook.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://roaming.edog.	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://cdn.entity.	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://powerlift.acompli.net	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://cortana.ai	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://api.aadrm.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://api.microsoftstream.com/api/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://cr.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://graph.ppe.windows.net	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://officeci.azurewebsites.net/api/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://my.microsoftpersonalcontent.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://globaldisco.crm.dynamics.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://messaging.engagement.office.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://dev0-api.acompli.net/autodetect	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://web.microsoftstream.com/video/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://dataservice.o365filtering.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://ncus.contentsync.	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
http://weather.service.msn.com/data.aspx	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://apis.live.net/v5.0/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://messaging.lifecycle.office.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://management.azure.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://outlook.office365.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://wus2.contentsync.	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://api.office.net	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://incidents.diagnosticssdf.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://entitlement.diagnostics.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://substrate.office.com/search/api/v2/init	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://outlook.office.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://outlook.office365.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://webshell.suite.office.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://management.azure.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://devnull.onenote.com	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://messaging.action.office.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://ncus.pagecontentsync.	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://messaging.office.com/	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	F79DE4CE-3D38-4A51-B300-A0A52CA0A936.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680530
Start date and time: 08/08/202218:51:07	2022-08-08 18:51:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.winRTF@1/9@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .rtf Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.32.24, 52.109.88.39
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, config.officeapps.live.com, sls.update.microsoft.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F79DE4CE-3D38-4A51-B300-A0A52CA0A936

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	148061
Entropy (8bit):	5.358133405421376
Encrypted:	false
SSDEEP:	1536:UcQW/gxgB5BQguwN/Q9DQe+zQTk4F77nXmvid3XxVETLKz61:/1Q9DQe+zuXYr
MD5:	524DEB669CBD12BFA0E862F9FB78CCDC
SHA1:	4FAC81AE9AD7B129C238661E0E4F781E9ABC91B3
SHA-256:	BDD825B56D52BE60C4D50616B97EB23E3DE3BCB9D883AF7ED68395685AF4507B
SHA-512:	35C6BD6E1DFE62F89124107E8F75773C10025164A3C9D0D9ECEF84078240F5D9B73E1E3FB54084EA093855FDBCC559B20A7699A275855D905F44B662EB56341C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-08-08T16:52:11">.. Build: 16.0.15601.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C94F2438-4712-4EDB-BA13-F546C0F4C19F}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D3E63778-DEB8-4D19-866C-1D5344BC51ED}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	1.1393247452705433
Encrypted:	false
SSDEEP:	6:beKNc1ElClXiKNwDOxRAJgm7KmrRmvlw5Fr+ur8FrK:beOc1MClXiO6Ox2JF5Rmvq5ZP8ZK
MD5:	2508CC81F5E9247B80C4FB3781394285
SHA1:	453AC54E5038EF8D30A585EB885652468B0992A4
SHA-256:	5A1936A4E61EFDCA38F71EE6AE93A7537F589F2A2B2B71D898B2877ECE3374FC
SHA-512:	08A7D69CF5ADD926CB304D49A5B97757FE3CF7EFEB957654EB7718ADF69B46F2A1C40F9973197E71300419ECBD3F1B5EBE40F63C228B6E92EA0075C11E7A86AD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .U.n.k.n.o.w.n.E.M.B.E.D................................................................................................................................................................................................................................................................................................................................................................................................................................................."...<...>...@...F............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J.....j....CJ..OJ..QJ..U..^J...<..CJ..OJ..QJ..^J...OJ..QJ..^J.

C:\Users\user\AppData\Local\Temp\Client.exe

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	979456
Entropy (8bit):	7.255901249909526
Encrypted:	false
SSDEEP:	12288:t1fPLY2Y841v3xqdanStZpGZh75x6OFMqnUDv2GTHPx2TZX5OHpCu9qvle:thDY2d4kE1x+qeZTZAZJcpv9W
MD5:	599BB05227A88A5C83E36E05D67DA0EA
SHA1:	663EBDC243BDF990D2950A0BCAB08CF316BDFF50
SHA-256:	2D63CA0053F446B5531AA5703C136586CEC0635994FD5DEE51DF7FE51DF58EB4
SHA-512:	5E1826F4EB4BD831A02DD705E2DF1ED1C082BB7E7D4486F6A4F34E6323F2942448EC3D2C56F516AA9A65AF71A2F4411D5BDA4764656E3C7B9776C0DF44DB7AE1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.........."...0......R.......@....... ....@.. ....................................@.................................\|...O.... .......................`.......................................................@..................H...........s.n=><v..F... ...H..................@....text...H............L.............. ..`.rsrc........ ......................@..@.............@...................... ..`.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:31:46 2022, mtime=Tue Aug 9 00:52:12 2022, atime=Tue Aug 9 00:52:07 2022, length=2920194, window=hide
Category:	dropped
Size (bytes):	1240
Entropy (8bit):	4.746811657719839
Encrypted:	false
SSDEEP:	24:8pFo7u8/Pa/kfJoCn9U+QA95HCn9UkDrT7aB6m:8p69qvCna+n95HCnaSKB6
MD5:	1F66D0046017517FBB298B785E458174
SHA1:	0763BC76E9899DEC36D8826F7F3292883DF62A87
SHA-256:	D7D8FD1FD7E7918E65B21C3DE6BC78E74E0B01154E28815821D2184C47A0333D
SHA-512:	5B761C964501072DEA7C2236992BBDC65717F2F77C408F43230B958D05B44338344A54C1590D6764AAC76C7B7D03E5D160DDA097C3C09194CEFAEFCDEDFDFE54
Malicious:	false
Preview:	L..................F.... ...9[...3...M....m........,.....................)....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...U{.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....hT....user.<.......Ny..U{......S.....................]..h.a.r.d.z.....~.1.....hT....Desktop.h.......Ny..U{......Y..............>.....Y6..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2...,..U.. .SECURI~1.RTF.........hT...U......h.......................b.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...2.7.6.4...r.t.f.......y...............-.......x...........>.S......C:\Users\user\Desktop\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf..J.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...R.t.f...O.b.f.u.s.c.a.t.e.d...3.2...2.7.6.4...r.t.f.........:..,.LB.)...As...`.......X.......284992...........!a..%.H.VZAj................-..!a..%

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.975057392169532
Encrypted:	false
SSDEEP:	3:bDuMJluscbcTLqjQWC0LXSdNFFomxWIMov8bcTLqjQWC0LXSdNFFov:bCVwTeS0LXS7N8wTeS0LXS7y
MD5:	3E8AC3467A1477A539CDEA8189236AAB
SHA1:	B66B713170E5B6356C249C6B0FDDBA263BA536C8
SHA-256:	F3DAE50CE58EF48DA30BD29C3450F9E9F6A9D86DBD807630025B85F767A3CC3B
SHA-512:	DE4754D2A05F58593AEC8B9BE5181A50289253E3EA5A4D2AE98F5C2A93CFA562B18D7BC3EBB56CE7603251F42882AC633B8E29B8DC50A0AA77D9F2C4602C8599
Malicious:	false
Preview:	[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf.LNK=0..[misc??????]..SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.0466224483025317
Encrypted:	false
SSDEEP:	3:Rl/Zd9vM43tt7LvKrBv/9nv2xCllXoln:RtZ/R3tFSNtuUlWn
MD5:	667567BDE1E565AE3CCC8C2482092094
SHA1:	701815E43A23F2B76A9ED83E489BCA8EB3616D86
SHA-256:	FD5B9F8A37DB674A9EBE5D295443329E72DD1EA9F9B37E41A724652FF6F74C84
SHA-512:	1139FCEC9EA59E6640A6B9FA359CCE71270B6DBFE25BF6EB612716A54D5D4D1B1641A5414E8161A1B70B9704B3BC1814039115F0DB6E66ABB53F9D17CA213853
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........J+N.............................J/N.............................J.N................

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.0466224483025317
Encrypted:	false
SSDEEP:	3:Rl/Zd9vM43tt7LvKrBv/9nv2xCllXoln:RtZ/R3tFSNtuUlWn
MD5:	667567BDE1E565AE3CCC8C2482092094
SHA1:	701815E43A23F2B76A9ED83E489BCA8EB3616D86
SHA-256:	FD5B9F8A37DB674A9EBE5D295443329E72DD1EA9F9B37E41A724652FF6F74C84
SHA-512:	1139FCEC9EA59E6640A6B9FA359CCE71270B6DBFE25BF6EB612716A54D5D4D1B1641A5414E8161A1B70B9704B3BC1814039115F0DB6E66ABB53F9D17CA213853
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........J+N.............................J/N.............................J.N................

Static File Info

General

File type:	Rich Text Format data, version 1, unknown character set
Entropy (8bit):	4.7600452351752605
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf
File size:	2920194
MD5:	a5b0c571197ee2931e12f11caf138eff
SHA1:	a4355fe45e321b99274f8000c5ac9c08f7146b28
SHA256:	00915bcbff87b2e195e1547df8e1944cadcdc6aa46beb130bd5a960dff01c7e3
SHA512:	eff4fadba11f02724628b950cfe815347c019759f2b40ea8ce4c9dcbf13964ac3fdf76230a2a685b0a6c68d33fff24fa3f43f026b365e0efb7a4cbf992834b6c
SSDEEP:	24576:0u0HN0y/U6FoR5bjoPL/GWEuwJpiGOR2QGBl0s5mp1BRX56XRsH9dBwK3UFHzZ:z
TLSH:	07D5A67071B535C6E26F0172429FBC59521738C3B3C62D88815DEAF62ED4B7A7B81A0E
File Content Preview:	{\rtf1{\\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\\pnseclvl6.\pnlcltr\pnstart1\pnindent720\pnhang {\pnt

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000129Ah	2	embedded	Package	979623	Client.exe	C:\Path\Client.exe	C:\Path\Client.exe	no
1	001E86A2h	2	embedded	Equation.3	3072				no

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: WINWORD.EXEPID: 5144, Parent PID: 756

General

Target ID:	0
Start time:	18:52:08
Start date:	08/08/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13a0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F79DE4CE-3D38-4A51-B300-A0A52CA0A936

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C94F2438-4712-4EDB-BA13-F546C0F4C19F}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D3E63778-DEB8-4D19-866C-1D5344BC51ED}.tmp

C:\Users\user\AppData\Local\Temp\Client.exe

C:\Users\user\AppData\Local\Temp\Client.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Statistics

System Behavior

Analysis Process: WINWORD.EXEPID: 5144, Parent PID: 756

General

Disassembly

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2764.rtf