flash

documentation_39236.xlsb

Status: finished
Submission Time: 08.07.2021 15:44:16
Malicious
Trojan
Exploiter
Evader
Ursnif

Comments

Tags

Details

  • Analysis ID:
    445916
  • API (Web) ID:
    813505
  • Analysis Started:
    08.07.2021 15:44:17
  • Analysis Finished:
    08.07.2021 15:58:20
  • MD5:
    31ed7b3f7d7173afe801858e30c0fb62
  • SHA1:
    40376b923682dc858806071f97cb64f781142dbb
  • SHA256:
    8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
7/89

IPs

IP Country Detection
165.232.183.49
United States
162.241.253.78
United States

Domains

Name IP Detection
gtr.antoinfer.com
165.232.183.49
free.mynowministries.com
162.241.253.78

URLs

Name Detection
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F
Click to see the 97 hidden entries
http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV
http://gtr.antoinfer.com/favicon.ico
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq
http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/
http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
https://api.diagnosticssdf.office.com
https://login.microsoftonline.com/
https://shell.suite.office.com:1443
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
https://autodiscover-s.outlook.com/
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://cdn.entity.
https://api.addins.omex.office.net/appinfo/query
https://clients.config.office.net/user/v1.0/tenantassociationkey
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
https://powerlift.acompli.net
https://rpsticket.partnerservices.getmicrosoftkey.com
https://lookup.onenote.com/lookup/geolocation/v1
https://cortana.ai
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://cloudfiles.onenote.com/upload.aspx
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://entitlement.diagnosticssdf.office.com
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
https://api.aadrm.com/
https://ofcrecsvcapi-int.azurewebsites.net/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
https://api.microsoftstream.com/api/
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://cr.office.com
https://portal.office.com/account/?ref=ClientMeControl
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.reddit.com/
https://graph.ppe.windows.net
https://res.getmicrosoftkey.com/api/redemptionevents
https://powerlift-frontdesk.acompli.net
https://tasks.office.com
https://officeci.azurewebsites.net/api/
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
https://free.mynowministries.com/app.dll
https://store.office.cn/addinstemplate
http://pesterbdd.com/images/Pester.png
http://www.apache.org/licenses/LICENSE-2.0.html
https://outlook.office.com/autosuggest/api/v1/init?cvid=
https://globaldisco.crm.dynamics.com
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://store.officeppe.com/addinstemplate
https://dev0-api.acompli.net/autodetect
https://www.odwebp.svc.ms
https://api.powerbi.com/v1.0/myorg/groups
https://web.microsoftstream.com/video/
https://graph.windows.net
https://dataservice.o365filtering.com/
https://github.com/Pester/Pester
https://officesetup.getmicrosoftkey.com
https://analysis.windows.net/powerbi/api
https://prod-global-autodetect.acompli.net/autodetect
https://outlook.office365.com/autodiscover/autodiscover.json
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
http://www.youtube.com/
https://ncus.contentsync.
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
http://weather.service.msn.com/data.aspx
https://apis.live.net/v5.0/
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://management.azure.com
https://wus2.contentsync.
https://incidents.diagnostics.office.com
https://clients.config.office.net/user/v1.0/ios
https://insertmedia.bing.office.net/odc/insertmedia
https://o365auditrealtimeingestion.manage.office.com
https://outlook.office365.com/api/v1.0/me/Activities
https://api.office.net
https://incidents.diagnosticssdf.office.com
https://asgsmsproxyapi.azurewebsites.net/
https://clients.config.office.net/user/v1.0/android/policies
http://www.amazon.com/
https://entitlement.diagnostics.office.com
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
http://www.twitter.com/
https://substrate.office.com/search/api/v2/init
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20

Dropped files

Name File Type Hashes Detection
C:\Users\Public\Documents\decrypt.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
Click to see the 47 hidden entries
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DCD6FF6-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7879BAA2-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat
Microsoft Word Document
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3A4E1985-998D-4759-B374-77BB71813A62
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E633A7EE.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FCD9B161.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\o596c7z[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\M8anWcq[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\gWg[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\othn[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\K[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\UZ97[1].htm
ASCII text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu1bwi3u.hs4.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqu4u5sp.pln.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfa1axxq.cvf.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm5ssgy3.k4v.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Temp\~DF2EB1C9CA29BD00CF.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF436C4ACF406520B7.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF4AB9BBFB5CFFE773.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF6208F46269C5D052.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF903C43FA17F64456.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF97CC7EC2853BA6EC.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DF99BD870E81A4914B.TMP
data
#
C:\Users\user\AppData\Local\Temp\~DFA7B5BF1FB774EA36.TMP
data
#
C:\Users\user\Desktop\~$documentation_39236.xlsb
data
#
C:\Users\user\Documents\20210708\PowerShell_transcript.632922.jVqfQyN1.20210708154748.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210708\PowerShell_transcript.632922.yKWYpH3L.20210708154747.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#