Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
Analysis ID:756114
MD5:9030afe25461e39f11f8f7239217ca24
SHA1:a47f1de11c15e5901110c29f318314ffbb65326a
SHA256:b70c112ed968b0846a461d7d3c8e3681383fe28a8b5099c6201cb5bc263c2785
Tags:rtf
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara signature match

Classification

  • System is w10x64
  • WINWORD.EXE (PID: 6008 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtfSUSP_INDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.ditekSHen
  • 0x5445:$obj2: \objdata
  • 0x5622:$obj3: \objupdate
  • 0x541e:$obj5: \objautlink
SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x5445:$obj2: \objdata
  • 0x5622:$obj3: \objupdate
  • 0x541e:$obj5: \objautlink
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtfReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.aadrm.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.aadrm.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.cortana.ai
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.office.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.onedrive.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://api.scheduler.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://augloop.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cdn.entity.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://clients.config.office.net/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://config.edge.skype.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cortana.ai
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cortana.ai/api
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://cr.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dev.cortana.ai
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://devnull.onenote.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://directory.services.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://graph.windows.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://graph.windows.net/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://invites.office.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://lifecycle.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://login.windows.local
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://management.azure.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://management.azure.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://messaging.office.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ncus.contentsync.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://officeapps.live.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://onedrive.live.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://osi.office.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office365.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office365.com/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://settings.outlook.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://staging.cortana.ai
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://tasks.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://wus2.contentsync.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary

barindex
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf, type: SAMPLEMatched rule: SUSP_INDICATOR_RTF_MalVer_Objects date = 2022-10-20, hash2 = a31da6c6a8a340901f764586a28bd5f11f6d2a60a38bf60acd844c906a0d44b1, author = ditekSHen, description = Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents., score = 43812ca7f583e40b3e3e92ae90a7e935c87108fa863702aa9623c6b7dc3697a2, reference = https://github.com/ditekshen/detection
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtfReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{5E3A2E03-1E37-45A6-A8F8-D82895BE7A3B} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: classification engineClassification label: mal56.winRTF@1/6@0/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory2
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf31%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
    high
    https://login.microsoftonline.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
      high
      https://shell.suite.office.com:14435C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
          high
          https://autodiscover-s.outlook.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
              high
              https://cdn.entity.5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/query5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkey5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                    high
                    https://powerlift.acompli.net5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v15C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                      high
                      https://cortana.ai5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspx5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                high
                                https://api.aadrm.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                      high
                                      https://cr.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                        high
                                        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                        • Avira URL Cloud: safe
                                        low
                                        https://portal.office.com/account/?ref=ClientMeControl5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                          high
                                          https://graph.ppe.windows.net5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptionevents5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.net5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/work5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                high
                                                https://api.scheduler.5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://my.microsoftpersonalcontent.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://store.office.cn/addinstemplate5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://api.aadrm.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                    high
                                                    https://messaging.engagement.office.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                        high
                                                        https://dev0-api.acompli.net/autodetect5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.diagnosticssdf.office.com/v2/feedback5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                          high
                                                          https://api.powerbi.com/v1.0/myorg/groups5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                            high
                                                            https://web.microsoftstream.com/video/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                              high
                                                              https://api.addins.store.officeppe.com/addinstemplate5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://graph.windows.net5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                high
                                                                https://dataservice.o365filtering.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://officesetup.getmicrosoftkey.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://analysis.windows.net/powerbi/api5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                  high
                                                                  https://prod-global-autodetect.acompli.net/autodetect5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.json5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                    high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                      high
                                                                      https://consent.config.office.com/consentcheckin/v1.0/consents5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                        high
                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                          high
                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                            high
                                                                            https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                              high
                                                                              https://ncus.contentsync.5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                high
                                                                                https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                  high
                                                                                  http://weather.service.msn.com/data.aspx5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                    high
                                                                                    https://apis.live.net/v5.0/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                      high
                                                                                      https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                        high
                                                                                        https://messaging.lifecycle.office.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                          high
                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                            high
                                                                                            https://management.azure.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                high
                                                                                                https://wus2.contentsync.5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                https://incidents.diagnostics.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                  high
                                                                                                  https://clients.config.office.net/user/v1.0/ios5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                    high
                                                                                                    https://insertmedia.bing.office.net/odc/insertmedia5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                      high
                                                                                                      https://o365auditrealtimeingestion.manage.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                        high
                                                                                                        https://outlook.office365.com/api/v1.0/me/Activities5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                          high
                                                                                                          https://api.office.net5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                            high
                                                                                                            https://incidents.diagnosticssdf.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                              high
                                                                                                              https://asgsmsproxyapi.azurewebsites.net/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              https://clients.config.office.net/user/v1.0/android/policies5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                high
                                                                                                                https://entitlement.diagnostics.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                  high
                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                    high
                                                                                                                    https://substrate.office.com/search/api/v2/init5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                      high
                                                                                                                      https://outlook.office.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                        high
                                                                                                                        https://storage.live.com/clientlogs/uploadlocation5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                          high
                                                                                                                          https://outlook.office365.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                            high
                                                                                                                            https://webshell.suite.office.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                              high
                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                high
                                                                                                                                https://substrate.office.com/search/api/v1/SearchHistory5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://management.azure.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://messaging.lifecycle.office.com/getcustommessage165C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://clients.config.office.net/c2r/v1.0/InteractiveInstallation5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://login.windows.net/common/oauth2/authorize5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://graph.windows.net/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://api.powerbi.com/beta/myorg/imports5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://devnull.onenote.com5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://messaging.action.office.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://ncus.pagecontentsync.5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://messaging.office.com/5C23899C-57D0-46BD-BBFE-0DB21569686F.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      No contacted IP infos
                                                                                                                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                      Analysis ID:756114
                                                                                                                                                      Start date and time:2022-11-29 16:49:09 +01:00
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 5m 24s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Sample file name:SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:6
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal56.winRTF@1/6@0/0
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .rtf
                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.76.141, 20.231.70.194, 20.224.201.79
                                                                                                                                                      • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, officeclient.microsoft.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • VT rate limit hit for: SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
                                                                                                                                                      No simulations
                                                                                                                                                      No context
                                                                                                                                                      No context
                                                                                                                                                      No context
                                                                                                                                                      No context
                                                                                                                                                      No context
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):149710
                                                                                                                                                      Entropy (8bit):5.359454617114472
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:hL+C7/gUMB5BQguw/BQ9DQe+zQVk4F77nXmvid3XRcE6Lcz6S:w5Q9DQe+zCXzJ
                                                                                                                                                      MD5:FEB719780ABDD7669810C28C66C938F7
                                                                                                                                                      SHA1:6E63788A422BF66259A794725C347BD01084A328
                                                                                                                                                      SHA-256:4FAA2B78852763410C3F2C9ACF5143CB7AA4C05B5AC430740F5ED22B4E7D4B70
                                                                                                                                                      SHA-512:B5B0075E9F82659629949750CFAD871675A5905EC41A39372101379DCEE238F5DF43FFF6FAF81EDFF3579D1A10F4E7ADF9E59B5CF5BB66CB754EA139C54E4223
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-11-29T15:50:16">.. Build: 16.0.15913.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:41:41 2022, mtime=Tue Nov 29 14:51:05 2022, atime=Tue Nov 29 14:51:00 2022, length=26570, window=hide
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1260
                                                                                                                                                      Entropy (8bit):4.673625813329463
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:88b4ESRC5DCdPUAxbchcHCdBD4e5ek7aB6m:8Y4ES4CVjx0cHCzAhB6
                                                                                                                                                      MD5:1B86048047F0B5DE84EB1DE1E80195C0
                                                                                                                                                      SHA1:3E87F61F35E7C059EAFF47C4206C6F50E2927C23
                                                                                                                                                      SHA-256:40DCC733BA62C689AE7548C9435DDDEFB101D94EDB7C0F939C196A3119647288
                                                                                                                                                      SHA-512:37C8242BC6760974FDBC5694A266E01CEFC349ABA8CE44F0FD1BD1C96C4ED33E15ECE5EE32E468A45C930C112308E6E4FD172E7DAEC1B73A6AC2A4EDE79480C5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:L..................F.... ...L..u......c....7M.`.....g......................1....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..}UY~....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U7m..user.<.......N..}UY~....#J........................j.o.n.e.s.....~.1......U8m..Desktop.h.......N..}UY~.....Y..............>.....Ar..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..g..}Ua~ .SECURI~1.RTF..........U5m}Ua~....P......................)..S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.8.-.0.7.9.8...4...2.9.3.9.9...2.7.9.7...r.t.f.......}...............-.......|...........>.S......C:\Users\user\Desktop\SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf..N.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.8.-.0.7.9.8...4...2.9.3.9.9...2.7.9.7...r.t.f.........:..,.LB.)...As...`.......X.......210395...........!a..%.H.VZAj.....
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):160
                                                                                                                                                      Entropy (8bit):5.088217340833089
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:bDuMJluscbcK+KX5C3FSmxWIMov8bcK+KX5C3FSv:bCVwKhXcJ8wKhXcm
                                                                                                                                                      MD5:B5096C16B856E29A1E3FD0496AD7DE37
                                                                                                                                                      SHA1:DDA79308DD6054E15CBC4B5BA9011BC2767CA5D5
                                                                                                                                                      SHA-256:F60007FE1AFC15255C86F27BF4A096D056A3555756557C1CFA5ECF82FBDAC9EF
                                                                                                                                                      SHA-512:CD75FAE398C9FF2062C9EAE9955E7678306B4902CA20703049CA13A02544C0532FD24CAC48902505C044BE2BEC5F84D833356353146B90A51E2D7B12621B152B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:[folders]..Templates.LNK=0..SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.LNK=0..[misc??????]..SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.LNK=0..
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):162
                                                                                                                                                      Entropy (8bit):2.1150565317044547
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Rl/Zdu4/Lt6/jp5lXlXtleKV/ttln:RtZ/Lt6/l5lXVt
                                                                                                                                                      MD5:8D439B60EE3D036A98AE07C3B96A8201
                                                                                                                                                      SHA1:5693F8FCCB47217E4A0AEA7FA3CFE98CDB0F9362
                                                                                                                                                      SHA-256:A2AF9570E93C5F6576A18BC58418E1B0112DC0D190B49367EDFF69D68AB9C108
                                                                                                                                                      SHA-512:E9E0DCF5D5F215B03446B745BAE28A651BBF567FF215E82AD5125205775D8498E385475D375E67D961E7C6251C2AF6796F0719BBC68E8B0774E6E0DF4D160FA5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:.pratesh................................................p.r.a.t.e.s.h..........|..........x....................|...............................|..................
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):20
                                                                                                                                                      Entropy (8bit):2.8954618442383215
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:QVNliGn:Q9rn
                                                                                                                                                      MD5:C4F79900719F08A6F11287E3C7991493
                                                                                                                                                      SHA1:754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
                                                                                                                                                      SHA-256:625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
                                                                                                                                                      SHA-512:0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:..p.r.a.t.e.s.h.....
                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):162
                                                                                                                                                      Entropy (8bit):2.1150565317044547
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Rl/Zdu4/Lt6/jp5lXlXtleKV/ttln:RtZ/Lt6/l5lXVt
                                                                                                                                                      MD5:8D439B60EE3D036A98AE07C3B96A8201
                                                                                                                                                      SHA1:5693F8FCCB47217E4A0AEA7FA3CFE98CDB0F9362
                                                                                                                                                      SHA-256:A2AF9570E93C5F6576A18BC58418E1B0112DC0D190B49367EDFF69D68AB9C108
                                                                                                                                                      SHA-512:E9E0DCF5D5F215B03446B745BAE28A651BBF567FF215E82AD5125205775D8498E385475D375E67D961E7C6251C2AF6796F0719BBC68E8B0774E6E0DF4D160FA5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:.pratesh................................................p.r.a.t.e.s.h..........|..........x....................|...............................|..................
                                                                                                                                                      File type:Rich Text Format data, version 1
                                                                                                                                                      Entropy (8bit):5.597856428320499
                                                                                                                                                      TrID:
                                                                                                                                                      • Poser pose (12501/1) 58.12%
                                                                                                                                                      • Rich Text Format (5005/1) 23.27%
                                                                                                                                                      • Rich Text Format (4004/1) 18.61%
                                                                                                                                                      File name:SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
                                                                                                                                                      File size:26570
                                                                                                                                                      MD5:9030afe25461e39f11f8f7239217ca24
                                                                                                                                                      SHA1:a47f1de11c15e5901110c29f318314ffbb65326a
                                                                                                                                                      SHA256:b70c112ed968b0846a461d7d3c8e3681383fe28a8b5099c6201cb5bc263c2785
                                                                                                                                                      SHA512:50b8108d0a23027cd59163784abeacb4a3cce4e9b160176786b420d0febcbd1046b24ca38061bc4bb0cd466a9fddf84e7fa0e3eb68866c7b18a01c717793e47e
                                                                                                                                                      SSDEEP:384:6QMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZfAlnjXYtG2eQkp5wDBhPjZ:WFx0XaIsnPRIa4fwJMKlnjXf2e54DDZ
                                                                                                                                                      TLSH:6DC24C67F798133D478301D1765F2BE8EB2EA53923A095612C6C92782385CBA43377ED
                                                                                                                                                      File Content Preview:{\rtf1............{\*\adjust2Value201371486 \;}.{\146269019Document created in earlier version microsoft office word.To view or edit this document, please click ("Enable editing") from the yellow bar aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGY
                                                                                                                                                      Icon Hash:74f4c4c6c1cac4d8
                                                                                                                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                                                      00000544Fhno
                                                                                                                                                      No network behavior found

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:16:51:01
                                                                                                                                                      Start date:29/11/2022
                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                      Imagebase:0xd0000
                                                                                                                                                      File size:1937688 bytes
                                                                                                                                                      MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      No disassembly