documentation_39236.xlsb

Status: finished

Submission Time: 2021-07-08 15:44:16 +02:00

Malicious

Trojan

Exploiter

Evader

Ursnif

Comments

Details

Analysis ID:
445916
API (Web) ID:
813505
Analysis Started:

2021-07-08 15:44:17 +02:00
Analysis Finished:

2021-07-08 15:58:20 +02:00
MD5:
31ed7b3f7d7173afe801858e30c0fb62
SHA1:
40376b923682dc858806071f97cb64f781142dbb
SHA256:
8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
Technologies:

Engines
IOCs

Joe Sandbox

Engine	Download Report	Detection	Info
	Full Report Management Report IOC Report	malicious Score: 100	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

Open Full Report

malicious

Score: 7/89

IPs

IP	Country	Detection
165.232.183.49	United States
162.241.253.78	United States

Domains

Name	IP	Detection
gtr.antoinfer.com	165.232.183.49
free.mynowministries.com	162.241.253.78

URLs

Name	Detection
http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/
http://gtr.antoinfer.com/favicon.ico
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq
Click to see the 97 hidden entries
http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH
http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx
https://analysis.windows.net/powerbi/api
https://globaldisco.crm.dynamics.com
https://ncus.contentsync.
http://www.youtube.com/
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
https://outlook.office365.com/autodiscover/autodiscover.json
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
https://prod-global-autodetect.acompli.net/autodetect
https://dev0-api.acompli.net/autodetect
https://officesetup.getmicrosoftkey.com
http://weather.service.msn.com/data.aspx
https://github.com/Pester/Pester
https://dataservice.o365filtering.com/
https://graph.windows.net
https://web.microsoftstream.com/video/
https://store.officeppe.com/addinstemplate
https://api.powerbi.com/v1.0/myorg/groups
https://www.odwebp.svc.ms
https://o365auditrealtimeingestion.manage.office.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
https://substrate.office.com/search/api/v2/init
http://www.twitter.com/
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
https://entitlement.diagnostics.office.com
http://www.amazon.com/
https://clients.config.office.net/user/v1.0/android/policies
https://asgsmsproxyapi.azurewebsites.net/
https://incidents.diagnosticssdf.office.com
https://api.office.net
https://outlook.office365.com/api/v1.0/me/Activities
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
https://insertmedia.bing.office.net/odc/insertmedia
https://clients.config.office.net/user/v1.0/ios
https://incidents.diagnostics.office.com
https://wus2.contentsync.
https://management.azure.com
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
https://apis.live.net/v5.0/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
https://entitlement.diagnosticssdf.office.com
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
https://cloudfiles.onenote.com/upload.aspx
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
https://cortana.ai
https://lookup.onenote.com/lookup/geolocation/v1
https://rpsticket.partnerservices.getmicrosoftkey.com
https://powerlift.acompli.net
https://api.aadrm.com/
https://clients.config.office.net/user/v1.0/tenantassociationkey
https://api.addins.omex.office.net/appinfo/query
https://cdn.entity.
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
https://autodiscover-s.outlook.com/
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
https://shell.suite.office.com:1443
https://login.microsoftonline.com/
https://api.diagnosticssdf.office.com
http://www.reddit.com/
http://www.apache.org/licenses/LICENSE-2.0.html
http://pesterbdd.com/images/Pester.png
https://store.office.cn/addinstemplate
https://free.mynowministries.com/app.dll
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
https://officeci.azurewebsites.net/api/
https://tasks.office.com
https://powerlift-frontdesk.acompli.net
https://res.getmicrosoftkey.com/api/redemptionevents
https://graph.ppe.windows.net
https://outlook.office.com/autosuggest/api/v1/init?cvid=
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://portal.office.com/account/?ref=ClientMeControl
https://cr.office.com
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
https://api.microsoftstream.com/api/
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
https://ofcrecsvcapi-int.azurewebsites.net/

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\Public\Documents\decrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
Click to see the 47 hidden entries
C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\Documents\20210708\PowerShell_transcript.632922.yKWYpH3L.20210708154747.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\UZ97[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\Documents\20210708\PowerShell_transcript.632922.jVqfQyN1.20210708154748.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu1bwi3u.hs4.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqu4u5sp.pln.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfa1axxq.cvf.ps1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm5ssgy3.k4v.psm1	very short file (no magic)	#
C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs	UTF-8 Unicode (with BOM) text	#
C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\Desktop\~$documentation_39236.xlsb	data	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\K[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\~DF2EB1C9CA29BD00CF.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF436C4ACF406520B7.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF4AB9BBFB5CFFE773.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF6208F46269C5D052.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF903C43FA17F64456.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF97CC7EC2853BA6EC.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DF99BD870E81A4914B.TMP	data	#
C:\Users\user\AppData\Local\Temp\~DFA7B5BF1FB774EA36.TMP	data	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DCD6FF6-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7879BAA2-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\othn[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3A4E1985-998D-4759-B374-77BB71813A62	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E633A7EE.jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FCD9B161.jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\o596c7z[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\M8anWcq[1].htm	ASCII text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\gWg[1].htm	ASCII text, with very long lines, with no line terminators	#

documentation_39236.xlsb

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

documentation_39236.xlsb Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

IPs

Domains

URLs

Dropped files

Search started

documentation_39236.xlsb