Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf

Rich Text Format data, version 1

initial sample

Details

Filetype:	Rich Text Format data, version 1
Entropy:	5.597856428320499
Filename:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
Filesize:	26570
MD5:	9030afe25461e39f11f8f7239217ca24
SHA1:	a47f1de11c15e5901110c29f318314ffbb65326a
SHA256:	b70c112ed968b0846a461d7d3c8e3681383fe28a8b5099c6201cb5bc263c2785
SHA512:	50b8108d0a23027cd59163784abeacb4a3cce4e9b160176786b420d0febcbd1046b24ca38061bc4bb0cd466a9fddf84e7fa0e3eb68866c7b18a01c717793e47e
SSDEEP:	384:6QMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZfAlnjXYtG2eQkp5wDBhPjZ:WFx0XaIsnPRIa4fwJMKlnjXf2e54DDZ
Preview:	{\rtf1............{\*\adjust2Value201371486 \;}.{\146269019Document created in earlier version microsoft office word.To view or edit this document, please click ("Enable editing") from the yellow bar aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGY

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Yara signature match	System Summary
Sample is known by Antivirus	System Summary

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C23899C-57D0-46BD-BBFE-0DB21569686F

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C23899C-57D0-46BD-BBFE-0DB21569686F
Category:	dropped
Dump:	5C23899C-57D0-46BD-BBFE-0DB21569686F.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.359454617114472
Encrypted:	false
Ssdeep:	1536:hL+C7/gUMB5BQguw/BQ9DQe+zQVk4F77nXmvid3XRcE6Lcz6S:w5Q9DQe+zCXzJ
Size:	149710
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:41:41 2022, mtime=Tue Nov 29 14:51:05 2022, atime=Tue Nov 29 14:51:00 2022, length=26570, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.LNK
Category:	dropped
Dump:	SecuriteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.LNK.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 12:41:41 2022, mtime=Tue Nov 29 14:51:05 2022, atime=Tue Nov 29 14:51:00 2022, length=26570, window=hide
Entropy:	4.673625813329463
Encrypted:	false
Ssdeep:	24:88b4ESRC5DCdPUAxbchcHCdBD4e5ek7aB6m:8Y4ES4CVjx0cHCzAhB6
Size:	1260
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	5.088217340833089
Encrypted:	false
Ssdeep:	3:bDuMJluscbcK+KX5C3FSmxWIMov8bcK+KX5C3FSv:bCVwKhXcJ8wKhXcm
Size:	160
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Category:	dropped
Dump:	~$Normal.dotm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Type:	data
Entropy:	2.1150565317044547
Encrypted:	false
Ssdeep:	3:Rl/Zdu4/Lt6/jp5lXlXtleKV/ttln:RtZ/Lt6/l5lXVt
Size:	162
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Unicode text, UTF-16, little-endian text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Category:	modified
Dump:	CUSTOM.DIC.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	2.8954618442383215
Encrypted:	false
Ssdeep:	3:QVNliGn:Q9rn
Size:	20
Whitelisted:	false
Reputation:	high

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf

data

dropped

Details

File:	C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf
Category:	dropped
Dump:	~$curiteInfo.com.Exploit.CVE-2018-0798.4.29399.2797.rtf.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Type:	data
Entropy:	2.1150565317044547
Encrypted:	false
Ssdeep:	3:Rl/Zdu4/Lt6/jp5lXlXtleKV/ttln:RtZ/Lt6/l5lXVt
Size:	162
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	6008
Target ID:	0
Parent PID:	796
Name:	WINWORD.EXE
Class:	word
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Size:	1937688
MD5:	0B9AB9B9C4DE429473D6450D4297A123
Time:	16:51:01
Date:	29/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd0000
Modulesize:	1933312
Wow64:	true

URLs

Name

Malicious

https://api.diagnosticssdf.office.com

unknown

https://login.microsoftonline.com/

unknown

https://shell.suite.office.com:1443

unknown

https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize

unknown

https://autodiscover-s.outlook.com/

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr

unknown

https://cdn.entity.

unknown

https://api.addins.omex.office.net/appinfo/query

unknown

https://clients.config.office.net/user/v1.0/tenantassociationkey

unknown

https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/

unknown

https://powerlift.acompli.net

unknown

https://rpsticket.partnerservices.getmicrosoftkey.com

unknown

https://lookup.onenote.com/lookup/geolocation/v1

unknown

https://cortana.ai

unknown

https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://cloudfiles.onenote.com/upload.aspx

unknown

https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://entitlement.diagnosticssdf.office.com

unknown

https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy

unknown

https://api.aadrm.com/

unknown

https://ofcrecsvcapi-int.azurewebsites.net/

unknown

https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies

unknown

https://api.microsoftstream.com/api/

unknown

https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive

unknown

https://cr.office.com

unknown

https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h

unknown

https://portal.office.com/account/?ref=ClientMeControl

unknown

https://graph.ppe.windows.net

unknown

https://res.getmicrosoftkey.com/api/redemptionevents

unknown

https://powerlift-frontdesk.acompli.net

unknown

https://tasks.office.com

unknown

https://officeci.azurewebsites.net/api/

unknown

https://sr.outlook.office.net/ws/speech/recognize/assistant/work

unknown

https://api.scheduler.

unknown

https://my.microsoftpersonalcontent.com

unknown

https://store.office.cn/addinstemplate

unknown

https://api.aadrm.com

unknown

https://outlook.office.com/autosuggest/api/v1/init?cvid=

unknown

https://globaldisco.crm.dynamics.com

unknown

https://messaging.engagement.office.com/

unknown

https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://dev0-api.acompli.net/autodetect

unknown

https://www.odwebp.svc.ms

unknown

https://api.diagnosticssdf.office.com/v2/feedback

unknown

https://api.powerbi.com/v1.0/myorg/groups

unknown

https://web.microsoftstream.com/video/

unknown

https://api.addins.store.officeppe.com/addinstemplate

unknown

https://graph.windows.net

unknown

https://dataservice.o365filtering.com/

unknown

https://officesetup.getmicrosoftkey.com

unknown

https://analysis.windows.net/powerbi/api

unknown

https://prod-global-autodetect.acompli.net/autodetect

unknown

https://outlook.office365.com/autodiscover/autodiscover.json

unknown

https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios

unknown

https://consent.config.office.com/consentcheckin/v1.0/consents

unknown

https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech

unknown

https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices

unknown

https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json

unknown

https://ncus.contentsync.

unknown

https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false

unknown

https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/

unknown

http://weather.service.msn.com/data.aspx

unknown

https://apis.live.net/v5.0/

unknown

https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks

unknown

https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios

unknown

https://messaging.lifecycle.office.com/

unknown

https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml

unknown

https://management.azure.com

unknown

https://outlook.office365.com

unknown

https://wus2.contentsync.

unknown

https://incidents.diagnostics.office.com

unknown

https://clients.config.office.net/user/v1.0/ios

unknown

https://insertmedia.bing.office.net/odc/insertmedia

unknown

https://o365auditrealtimeingestion.manage.office.com

unknown

https://outlook.office365.com/api/v1.0/me/Activities

unknown

https://api.office.net

unknown

https://incidents.diagnosticssdf.office.com

unknown

https://asgsmsproxyapi.azurewebsites.net/

unknown

https://clients.config.office.net/user/v1.0/android/policies

unknown

https://entitlement.diagnostics.office.com

unknown

https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json

unknown

https://substrate.office.com/search/api/v2/init

unknown

https://outlook.office.com/

unknown

https://storage.live.com/clientlogs/uploadlocation

unknown

https://outlook.office365.com/

unknown

https://webshell.suite.office.com

unknown

https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive

unknown

https://substrate.office.com/search/api/v1/SearchHistory

unknown

https://management.azure.com/

unknown

https://messaging.lifecycle.office.com/getcustommessage16

unknown

https://clients.config.office.net/c2r/v1.0/InteractiveInstallation

unknown

https://login.windows.net/common/oauth2/authorize

unknown

https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile

unknown

https://graph.windows.net/

unknown

https://api.powerbi.com/beta/myorg/imports

unknown

https://devnull.onenote.com

unknown

https://messaging.action.office.com/

unknown

https://ncus.pagecontentsync.

unknown

https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json

unknown

https://messaging.office.com/

unknown

There are 90 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

= .

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

l .

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

:b.

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

RemoteClearDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3

Last

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

FilePath

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

StartDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

EndDate

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Properties

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0

Url

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache

LastClean

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems

gj.

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableWinHttpCertAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableIsOwnerRegex

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableSessionAwareHttpClose

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALForExtendedApps

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALSetSilentAuth

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableGuestCredProvider

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

msoridDisableOstringReplace

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\25D1B

25D1B

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0

MSForms

HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0

MSComctlLib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries

UpdateComplete

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.1\1033

Options Version

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.1\1033\Option Set 0

Name

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.1\1033\Option Set 0

Data

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.1\1033\Option Set 1

Name

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.1\1033\Option Set 1

Data

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-US

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

WORDFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV

LastBootTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTime

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTime