Edit tour

Windows Analysis Report
yFwFFUG8b5.rtf

Overview

General Information

Sample Name:	yFwFFUG8b5.rtf
Original Sample Name:	59e7f344c86d2adef46011daccd3206e9fb87ad3edc3b88910daf4e5bc5c2401.rtf
Analysis ID:	1303436
MD5:	cbf234faf143cd9fdc9702a6a976153c
SHA1:	3a80997a96677a0bacd43a14a776a5a3dd716cae
SHA256:	59e7f344c86d2adef46011daccd3206e9fb87ad3edc3b88910daf4e5bc5c2401
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Document embeds suspicious OLE2 link

Document contains embedded VBA macros

Yara signature match

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7452 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yFwFFUG8b5.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x126e:$obj1: \objhtml 0x12ab:$obj2: \objdata 0x1293:$obj3: \objupdate

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yFwFFUG8b5.rtf

Avira: detected

Multi AV Scanner detection for submitted file

Source: yFwFFUG8b5.rtf

ReversingLabs: Detection: 39%

Antivirus detection for URL or domain

Source: http://wsvdyhrgebwhevawe.ydns.eu/fileone/Fnvtdhenapsfwu.exej

Avira URL Cloud: Label: phishing

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: ~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp.0.dr	String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/fileone/Fnvtdhenapsfwu.exej
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.office.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://api.scheduler.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://augloop.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.entity.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cortana.ai
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://cr.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://directory.services.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ecs.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://graph.windows.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://invites.office.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://login.windows.local
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://management.azure.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://management.azure.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://substrate.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://tasks.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	String found in binary or memory: https://www.yammer.com

System Summary

Malicious sample detected (through community Yara rule)

Source: yFwFFUG8b5.rtf, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Document embeds suspicious OLE2 link

Source: ~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp.0.dr

Stream path '_1755422681/\x1Ole10Native' : http://wsvdyhrgebwhevawe.ydns.eu/fileone/Fnvtdhenapsfwu.exejWideCharToMultiByteSjjh$,RjT$RjjWinExecSj$$RExitProcessSjRd0RJ0Qt$tBZRL$T$ft9f;t)farfzvfArfZwf f;t1ZSRVWT$B<DxPHX!0t=QWt$$1I_uYX+HX$K@YI1_^Z[

Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr

OLE indicator, VBA macros: true

Source: yFwFFUG8b5.rtf, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: ~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: yFwFFUG8b5.rtf

ReversingLabs: Detection: 39%

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{092556A3-B623-4E5F-BDB6-C186C02762AD} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: classification engine

Classification label: mal76.winRTF@1/9@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: yFwFFUG8b5.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\yFwFFUG8b5.rtf

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: ~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yFwFFUG8b5.rtf	39%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
yFwFFUG8b5.rtf	100%	Avira	HEUR/Rtf.Malformed

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://d.docs.live.net	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://login.windows.local	0%	URL Reputation	safe
https://api.officescripts.microsoftusercontent.com/api	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
http://wsvdyhrgebwhevawe.ydns.eu/fileone/Fnvtdhenapsfwu.exej	100%	Avira URL Cloud	phishing

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://login.microsoftonline.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://shell.suite.office.com:1443	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://autodiscover-s.outlook.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://cdn.entity.	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://powerlift.acompli.net	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://cortana.ai	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.aadrm.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://www.yammer.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.microsoftstream.com/api/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://cr.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://graph.ppe.windows.net	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://officeci.azurewebsites.net/api/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.scheduler.	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://globaldisco.crm.dynamics.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://messaging.engagement.office.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://dev0-api.acompli.net/autodetect	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://web.microsoftstream.com/video/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://dataservice.o365filtering.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://outlook.office365.com/autodiscover/autodiscover.json	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://d.docs.live.net	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
http://weather.service.msn.com/data.aspx	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://apis.live.net/v5.0/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://messaging.lifecycle.office.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://pushchannel.1drv.ms	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://management.azure.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://outlook.office365.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://wus2.contentsync.	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://make.powerautomate.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/api/addins/search	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.office.net	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://incidents.diagnosticssdf.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
http://wsvdyhrgebwhevawe.ydns.eu/fileone/Fnvtdhenapsfwu.exej	~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp.0.dr	true	Avira URL Cloud: phishing	unknown
https://asgsmsproxyapi.azurewebsites.net/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://entitlement.diagnostics.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://substrate.office.com/search/api/v2/init	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://outlook.office.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://login.windows.local	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://webshell.suite.office.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://login.microsoftonline.com	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://management.azure.com/	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://messaging.lifecycle.office.com/getcustommessage16	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false		high
https://api.officescripts.microsoftusercontent.com/api	32597437-DE6A-41FE-94A8-35F06685A9D8.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1303436
Start date and time:	2023-09-05 12:37:47 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	yFwFFUG8b5.rtf
Original Sample Name:	59e7f344c86d2adef46011daccd3206e9fb87ad3edc3b88910daf4e5bc5c2401.rtf
Detection:	MAL
Classification:	mal76.winRTF@1/9@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 52.109.2.151, 20.126.111.161, 20.231.71.84
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, us.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: yFwFFUG8b5.rtf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32597437-DE6A-41FE-94A8-35F06685A9D8

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158646
Entropy (8bit):	5.348559102768841
Encrypted:	false
SSDEEP:	1536:e+C/FPgf3B7U9guw19Q9DQA+zQk5k4F77nXmvidlXRAE6LIj6k:ZDQ9DQA+zNXHD
MD5:	E4FC7AFF45B4EEE76F600FFE85F61270
SHA1:	77249587B1FE735A6E992CC3AB4D6C5EECDED081
SHA-256:	E00A2A9F444CA9EC28BEC72BC776BECADD1F8ED38E7A96D455AB52E1780FF90F
SHA-512:	3CF9C940038ECCD4AABC30B0E337A2F932B7BFB5BA678A9C5E23F8EE8A931063119D4419573948A98A9A973E9308CCF51C68A566076E2B3333974152C5E6D1A1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-09-05T10:38:50">.. Build: 16.0.16827.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.1320092371798003
Encrypted:	false
SSDEEP:	24:raI8Utqoj73POWm9l7tfj9xBOjl5AzA03fazWKaBL/AkiF8:raZUtdPOWm9lRfj9xB85AzAE0yBLziF
MD5:	D4795CA46418A9530F320A7DA7B92281
SHA1:	AFF3A2D9DBF04A9BC696240A619860521F8AA7B7
SHA-256:	267C338D96813D1247723968CF080382E5631DF7316882D9F795E6A24E10CEED
SHA-512:	7E3AC67CE55AAC3F878C45B4FE4649A29FC60C01384191D20A156BAB2AA8185BE1B1E8D52C4269C8B190F2C9AC8C9841A92BA3F708B5F728D7D15103DFA3BB70
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DC50A48E-EAAC-47AF-9927-355728D16EDF}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	3.440344697982507
Encrypted:	false
SSDEEP:	192:JlD2F0Q4qQowXlxvHbn5f9uqK/2Mo20nuonFO5ZvhlrBBzpZZ:JlDjHbHbnruqK/CjFO/jpZZ
MD5:	E48B2A8BF8B6AD374634D06D5995E82E
SHA1:	92A7EEDBCB7A414B6AE96DFB7F5444E291C465EE
SHA-256:	1167CC15A93FAC11D45496EB87D470A04DB44D7BD5C42D3E67E49D59AE4A1626
SHA-512:	E54AB65D1067914674CABAE1DE87129AD150D316546A78014F6D02BE8D34C8EC24C8F51163D50978EE7D914B00F6BE3A1560F096925F7A265FC1BFCF886F1A0E
Malicious:	false
Reputation:	low
Preview:	....8.8.2.7.1.1.0.1.8.^.^..~.).9.;.].2.&.7.\|.,.+.0._...1.#...#.!.>.(.;.+.).#.9.?.).5.?.%.(.4.~.=.&.>.].>.&.?.`.\|.?.&.#.<.@.%.&.....'.8.:.?.'.`.].;.?.>..5.9.5.2.?.%.&.4.!./...'.@.3.^.>.@./.6.3.@.4.6.5.+.'.^.7.8.=...'.?.4.%.\|.!.%.3.%.6.^.7.%.,.?.[.0.!.8...8.@.9..+.,.$.$.!.$.7.]...!.8.6.8.$.9.2.?.<._.\|.%.4.;.~.[.'._.\|.[.!.&...-...`.3./...^._.'.~.....0.?.'.\|.+.^.<...9.-.%.<.^.7.3.).5.).?.#.$._.:.@.2.>.&.^.0.?.<.[.;.?.9.?.'.?.$.?.].1.#.$.,.:.?...>.^.6.;.5.[...@.(.7.$.2.2.`.\|..?.@...'.....?./.1.0.,.;.).<.+.=._.+.'.].!.<.>.~...+.>.4.?.?.].%.].-...+.1.?.<.[.$.^...7.8.^.8.5.%...>..=.~..5.?.?.?.9.?.(...+.5.'.1.8.!.2.:...8.2.6.\|...[...+.$.,..<.>.#._.?.0.?.&.?.;.;.4.=.6./.\|.5.?.)./.?.0.;.@.7.\|.3.<.6.'.../.1.+.:.:.-.?.+.^.@.#...1.$.^./..~._....^...5.3.%.#.2.:.1.9.9.=.>.?.3.~...?.[.~.'..._.!.#.'._.8.2.+.8.+.6.?.!.).1.7.8.../.?.9.`.>...:.[.;.7.!...'.?.?.,.6.4.>...+..[.?.:.:.).:.3.[.[.].!.^.].\|.8.9.0.(.=.<.-.\|.,.!.>._.?.;.1.8.;.&.<.5.).-...(.2.^.,.9.8.7.1.>.(.6.?.$._.1.~.$.?.#.>.].*.%.?.9.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F99806D6-F16F-4DA6-B3B6-FC251D46CB10}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	4.820300539697694
Encrypted:	false
SSDEEP:	3:bDuMJlEsjdHQpulmxWIMovhPdHQpulv:bCERMuGPMu1
MD5:	544DEAA7709184F853BBB323A0EEC8B1
SHA1:	0C5E68C83F138FAA781AD8A2DB73AFCB49759835
SHA-256:	6B77993FCAAE20F46AE1305C8727E72D631538AE56FA24C8C9341E8E2AE9FB88
SHA-512:	0DCB4625CE2F6F3B9107F65382E95C31FE377E15A83A7254AD5B9429575C5E4E4B644842108741591409279F8654F5A23D52A2E8E8981DF0880563B9C92B7E31
Malicious:	false
Preview:	[folders]..Templates.LNK=0..yFwFFUG8b5.LNK=0..[misc??????]..yFwFFUG8b5.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\yFwFFUG8b5.LNK

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 16:56:03 2023, mtime=Tue Sep 5 09:38:50 2023, atime=Tue Sep 5 09:38:46 2023, length=104980, window=hide
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	4.720394737279126
Encrypted:	false
SSDEEP:	12:8VBpUdS6CHiX30xGX5D3R+W+1E9lqlgQRijEjAJ/y5jU4XRQDyX2i2A4t2Y+xIBx:883XV3FleFgUAJK5yDymPY7aB6m
MD5:	02905FA5F660730F36EE11D77437EE4C
SHA1:	8A9C26384BA692E0DD034ACC435645EDD4B5668C
SHA-256:	387899754F74140AD7ECF8376A996483AF7707EC1F1A459B518E3C0247801C6E
SHA-512:	294FE4DC8B00FC612E5050DC7547614A9565125EB7C3B7EDFBD1AACECA607F4B2B483573C2DBF4FD1175D2FB9C64F49404F582201C6A07E986066B00E5026ABE
Malicious:	false
Preview:	L..................F.... ...Mcq.}...@.E(....n.P&.................................P.O. .:i.....+00.../C:\...................x.1......Ng...Users.d......L..%W.T....................:......B..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....T.1......W....user..>.......NM.%W.T.....S......................%.a.l.f.o.n.s.....~.1......W....Desktop.h.......NM.%W.T.....Y..............>.......L.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2.....%W.T .YFWFFU~1.RTF..N.......W..%W.T..............................y.F.w.F.F.U.G.8.b.5...r.t.f.......U...............-.......T...........>.S......C:\Users\user\Desktop\yFwFFUG8b5.rtf..%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.y.F.w.F.F.U.G.8.b.5...r.t.f.........:..,.LB.)...Aw...`.......X.......124406...........!a..%.H.VZAj.....k.p8.......W...!a..%.H.VZAj.....k.p8.......W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.35404893645518
Encrypted:	false
SSDEEP:	3:Rl/Zd4XXlblOJOAk25llXXzplllJ:RtZm5AkgT
MD5:	82BAEF59A36E299C7D0FEAD72F2F9975
SHA1:	03C8E387DC64A59C94B2D9C329810DF4F09CABBE
SHA-256:	4971F01225E22C0FE0EE95A71689A9091A4BD1A44E4E46C5995D1469C71E4154
SHA-512:	7CD03BAE472E4A57C9C0D03E786720E77B5B280D231260845CAB8890C17B55F0B09F429190D6871B250FA9327BEADBB14314740C2C5CD62FC032C0213293D6BE
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h............H0...................2..........HA.....k.o`....................H............T...

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	2.8954618442383215
Encrypted:	false
SSDEEP:	3:QVNliGn:Q9rn
MD5:	C4F79900719F08A6F11287E3C7991493
SHA1:	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D
SHA-256:	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
SHA-512:	0F3C498BC7680B4C9167F790CC0BE6C889354AF703ABF0547F87B78FEB0BAA9F5220691DF511192B36AD9F3F69E547E6D382833E6BC25CDB4CD2191920970C5F
Malicious:	false
Preview:	..p.r.a.t.e.s.h.....

C:\Users\user\Desktop\~$wFFUG8b5.rtf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.358708735851251
Encrypted:	false
SSDEEP:	3:Rl/Zd4XXlblOJOAkszlNzplllJ:RtZm5AkAT
MD5:	BE67E3F67222F2A441610F3051FA6BE1
SHA1:	6340B051E352E50EA25E8F8308A7742669DE99BD
SHA-256:	A87DE3F02D9DED3DEBD873DD92809D944C9794B32AE252877205279D858E291F
SHA-512:	543E89002ECFC70D7646A022B88C8DBBC67021219370601C97FCE7778354C07F6BE360AD1AE421BF4E7F7BE561CDAB7DB8DEDEB258F317487FE7559A4BE0B9EB
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h............H0...................2..........HA.....k.o`....................H............T...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	2.5430425756510457
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	yFwFFUG8b5.rtf
File size:	104'980 bytes
MD5:	cbf234faf143cd9fdc9702a6a976153c
SHA1:	3a80997a96677a0bacd43a14a776a5a3dd716cae
SHA256:	59e7f344c86d2adef46011daccd3206e9fb87ad3edc3b88910daf4e5bc5c2401
SHA512:	62edf48c3b9937284495b223eed254c981585714fb53f6409ca944b9266f44e00473c449b4efc0675f823100fef946a38895112c2ae9cef91200a3b57cdd3e3e
SSDEEP:	384:ojGD480k5SMgBeIPu92IqYz/ibe0sdOq0A/0mmmH:Pt04gBeIGEs/ibe0GO286
TLSH:	65A3336D938B4460CFA463BB831BAE0895FC776EB3589176B89C133037E9D79462603C
File Content Preview:	{\rtf1.....{\\lineColor816588099 \\|}.{\1882711018^^~)9;]2&7\|,+0_.1#.#!>(;+)#9?)5?%(4~=&>]>&?`\|?&#<@%&..'8:?'`];?>5952?%&4!/.'@3^>@/63@465+'^78=.'?4%\|!%3%6^7%,?[0!8.8@9+,$$!$7].!868$92?<_\|%4;~['_\|[!&.-.`3/.^_'~..0?'\|+^<**9-%<^73)5)?#$_:@2>&^0?<[;?9?'?$

File Icon


Icon Hash:	39f5a98c818aacb3

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000012B5h								no

Target ID:	0
Start time:	12:38:47
Start date:	05/09/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0xfa0000
File size:	1'937'688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yFwFFUG8b5.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\32597437-DE6A-41FE-94A8-35F06685A9D8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{BC756FC3-E405-47FA-B8A9-6E6B44BDC6EF}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DC50A48E-EAAC-47AF-9927-355728D16EDF}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F99806D6-F16F-4DA6-B3B6-FC251D46CB10}.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\yFwFFUG8b5.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

C:\Users\user\Desktop\~$wFFUG8b5.rtf

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Statistics

System Behavior

Analysis Process: WINWORD.EXEPID: 7452, Parent PID: 804

General

Disassembly

Windows Analysis Report
yFwFFUG8b5.rtf