Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
101POH0000000166.rtf

Overview

General Information

Sample Name:101POH0000000166.rtf
Analysis ID:791304
MD5:5241cc04162b7134f0e28d75286e8403
SHA1:3a9e51c888314e69aa258492da237c1d4737f6b6
SHA256:5dcd3d5273d069fe4825f22323aed5b7eaa8c745f5974e757c1919fbbcf6bcae
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 5888 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • splwow64.exe (PID: 5060 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.aadrm.com
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.aadrm.com/
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 913A360A-E69B-44A8-AAEF-E0FC3C105644.0.drString found in binary or memory: https://api.addins.s