IOC Report
Presentation.pptx

loading gif

Files

File Path
Type
Category
Malicious
Presentation.pptx
Microsoft PowerPoint 2007+
initial sample
/Users/bernard/Desktop/~$Presentation.pptx
data
dropped
/Users/bernard/Library/Containers/com.microsoft.Office365ServiceV2/Data/Library/Caches/Microsoft/uls/com.microsoft.Office365ServiceV2/logs/apple-device-log-20241001-2303.log
ASCII text, with very long lines (10444), with CRLF line terminators
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/FontCache/systemfontmetadata.json
JSON data
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CatalogCacheMetaData.xml
XML 1.0 document, ASCII text, with very long lines (13120), with no line terminators
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectbronze_apple.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectgalaxy_apple.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectgold_apple.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectlava_apple.jpg
JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectocean_apple.jpg
JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectrainbowglitter_apple.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectrosegold_apple.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/CloudGraphicsResources/Graphics/inkeffectsilver_apple.jpg
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 405x405, components 3
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/GraphicsCache/1/oart.json
JSON data
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/Office/16.0/Floodgate/PowerPoint.CampaignStates.json
JSON data
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/Office/16.0/WebServiceCache/AllUsers/officeclient.microsoft.com/C0A390DF-1012-B84C-AA3B-629416397471
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Application Support/Microsoft/Office/16.0/microsoft powerpoint_Rules.xml
XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Caches/Microsoft/uls/com.microsoft.Powerpoint/logs/apple-device-log-20241001-2303.log
ASCII text, with very long lines (804), with CRLF line terminators
dropped
/Users/bernard/Library/Containers/com.microsoft.Powerpoint/Data/Library/Caches/com.microsoft.ctrlstrcaches/com.microsoft.Powerpoint.ctrlstrcache.en.plist
Apple binary property list
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/ar.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/cs.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/da.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/de.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/el.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/en.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/es.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/fi.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/fr.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/he.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/hu.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/id.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/it.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/ja.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/ko.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/nl.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/no.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/pl.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/pt.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/pt_PT.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/ru.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/sk.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/sv.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/th.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/tr.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/zh_CN.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Proofing Tools.localized/.localized/zh_TW.strings
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
/Users/bernard/Library/Keychains/login.keychain-db.sb-07d82885-3EdlEq
DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 963362762505407623593984.000000, slope 303834226087943251262072422400.000000
dropped
/Users/bernard/Library/Keychains/login.keychain-db.sb-07d82885-4RT1zY
DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 963362762505407623593984.000000, slope 303834226087943251262072422400.000000
dropped
/dev/null
ASCII text
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.microsoft.Office365ServiceV2/mds/mdsDirectory.db_
Mac OS X Keychain File
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.microsoft.Office365ServiceV2/mds/mdsObject.db_
Mac OS X Keychain File
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.microsoft.Powerpoint/mds/mdsDirectory.db_
Mac OS X Keychain File
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.microsoft.Powerpoint/mds/mdsObject.db_
Mac OS X Keychain File
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.microsoft.Office365ServiceV2/TemporaryItems/(A Document Being Saved By Office365ServiceV2)/ci.plist
Apple binary property list
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.microsoft.Powerpoint/TemporaryItems/(A Document Being Saved By PowerPoint)/ci.plist
Apple binary property list
dropped
/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.microsoft.Powerpoint/TemporaryItems/(A Document Being Saved By PowerPoint)/com.microsoft.Powerpoint.securebookmarks.plist
XML 1.0 document, ASCII text
dropped
There are 46 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
-
/usr/bin/open
/usr/bin/open /Users/bernard/Desktop/Presentation.pptx
/usr/libexec/xpcproxy
-
/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint
/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint
/usr/libexec/xpcproxy
-
/Applications/Microsoft PowerPoint.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2
/Applications/Microsoft PowerPoint.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2
/usr/libexec/xpcproxy
-
/usr/libexec/firmwarecheckers/eficheck/eficheck
/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

URLs

Name
IP
Malicious
https://api.diagnosticssdf.office.com
unknown
https://login.microsoftonline.com/
unknown
https://shell.suite.office.com:1443
unknown
https://designerapp.azurewebsites.net
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
unknown
https://autodiscover-s.outlook.com/
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com
unknown
https://outlook.office365.com/connectors
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
unknown
https://cdn.entity.
unknown
https://api.addins.omex.office.net/appinfo/query
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
unknown
https://powerlift.acompli.net
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com
unknown
https://lookup.onenote.com/lookup/geolocation/v1
unknown
https://cortana.ai
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
https://cloudfiles.onenote.com/upload.aspx
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
unknown
https://entitlement.diagnosticssdf.office.com
unknown
https://api.aadrm.com/
unknown
https://ofcrecsvcapi-int.azurewebsites.net/
unknown
https://canary.designerapp.
unknown
https://ic3.teams.office.com
unknown
https://www.yammer.com
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
unknown
https://api.microsoftstream.com/api/
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
unknown
https://cr.office.com
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft
unknown
https://otelrules.svc.static.microsoft
unknown
https://portal.office.com/account/?ref=ClientMeControl
unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
unknown
https://edge.skype.com/registrar/prod
unknown
https://graph.ppe.windows.net
unknown
https://res.getmicrosoftkey.com/api/redemptionevents
unknown
https://powerlift-frontdesk.acompli.net
unknown
https://tasks.office.com
unknown
https://officeci.azurewebsites.net/api/
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
unknown
https://api.scheduler.
unknown
https://my.microsoftpersonalcontent.com
unknown
https://store.office.cn/addinstemplate
unknown
https://api.aadrm.com
unknown
https://edge.skype.com/rps
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=
unknown
https://globaldisco.crm.dynamics.com
unknown
https://messaging.engagement.office.com/
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
https://dev0-api.acompli.net/autodetect
unknown
https://www.odwebp.svc.ms
unknown
https://api.diagnosticssdf.office.com/v2/feedback
unknown
https://api.powerbi.com/v1.0/myorg/groups
unknown
https://web.microsoftstream.com/video/
unknown
https://api.addins.store.officeppe.com/addinstemplate
unknown
https://graph.windows.net
unknown
https://dataservice.o365filtering.com/
unknown
https://officesetup.getmicrosoftkey.com
unknown
https://analysis.windows.net/powerbi/api
unknown
https://prod-global-autodetect.acompli.net/autodetect
unknown
https://substrate.office.com
unknown
https://outlook.office365.com/autodiscover/autodiscover.json
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
unknown
https://consent.config.office.com/consentcheckin/v1.0/consents
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
unknown
https://d.docs.live.net
unknown
https://safelinks.protection.outlook.com/api/GetPolicy
unknown
https://ncus.contentsync.
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
unknown
http://weather.service.msn.com/data.aspx
unknown
https://apis.live.net/v5.0/
unknown
https://officepyservice.office.net/service.functionality
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
unknown
https://templatesmetadata.office.net/
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
unknown
https://messaging.lifecycle.office.com/
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
unknown
https://mss.office.com
unknown
https://pushchannel.1drv.ms
unknown
https://management.azure.com
unknown
https://outlook.office365.com
unknown
https://wus2.contentsync.
unknown
https://incidents.diagnostics.office.com
unknown
https://clients.config.office.net/user/v1.0/ios
unknown
https://make.powerautomate.com
unknown
https://api.addins.omex.office.net/api/addins/search
unknown
https://insertmedia.bing.office.net/odc/insertmedia
unknown
https://outlook.office365.com/api/v1.0/me/Activities
unknown
https://api.office.net
unknown
https://incidents.diagnosticssdf.office.com
unknown
https://asgsmsproxyapi.azurewebsites.net/
unknown
https://clients.config.office.net/user/v1.0/android/policies
unknown
https://entitlement.diagnostics.office.com
unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
unknown
https://substrate.office.com/search/api/v2/init
unknown
There are 90 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
appledownload.map.fastly.net
151.101.3.8
h3.apis.apple.map.fastly.net
151.101.195.6

IPs

IP
Domain
Country
Malicious
151.101.3.8
appledownload.map.fastly.net
United States
23.213.224.212
unknown
United States
151.101.131.6
unknown
United States
151.101.195.6
h3.apis.apple.map.fastly.net
United States