Windows Analysis Report
cnewton doc 08.11.2022.doc

Overview

General Information

Sample Name: cnewton doc 08.11.2022.doc
Analysis ID: 682599
MD5: ee1d6eb5b07b99e65fc0cb477193c35c
SHA1: 9d4dbf701c8ede93a79036dd5a0316da988a2eeb
SHA256: 23b9a20a59041fc7d484957e49ffa7e0f6dba7dbbec0628a4adb69c2e05863ab
Tags: docIcedID
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Machine Learning detection for sample
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: cnewton doc 08.11.2022.doc Virustotal: Detection: 21% Perma Link
Source: cnewton doc 08.11.2022.doc ReversingLabs: Detection: 15%
Antivirus detection for URL or domain
Source: http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: cnewton doc 08.11.2022.doc Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\y745B.tmp.dll Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Source: global traffic TCP traffic: 45.8.146.139:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.8.146.139:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.8.146.139 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: unknown TCP traffic detected without corresponding DNS query: 45.8.146.139
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BAAF2A8-E832-4261-85D2-442C43FCDC2C}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.8.146.139Connection: Keep-Alive

System Summary
barindex
Document contains an embedded VBA macro with suspicious strings
Source: cnewton doc 08.11.2022.doc OLE, VBA macro line: Private Declare PtrSafe Function Lib "kernel32" Alias "VirtualProtect" (ByVal As LongPtr, ByVal As LongPtr, ByVal As LongPtr, As LongPtr) As LongPtr
Source: cnewton doc 08.11.2022.doc OLE, VBA macro line: Set = CallByName((EF9Yq0sar_("DgrVRLL_I")), EF9Yq0sar_("kMNkamqH7"), VbGet, EF9Yq0sar_("RQeWcJp24"))
Source: cnewton doc 08.11.2022.doc OLE, VBA macro line: Set = CallByName((), EF9Yq0sar_("qWfCNVnD"), VbGet, )
Source: cnewton doc 08.11.2022.doc OLE, VBA macro line: Set = CallByName((), EF9Yq0sar_("Qa6ipUt"), VbGet, )
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: cnewton doc 08.11.2022.doc OLE, VBA macro line: Private Sub Document_Open()
Document contains embedded VBA macros
Source: cnewton doc 08.11.2022.doc OLE indicator, VBA macros: true
Source: cnewton doc 08.11.2022.doc Virustotal: Detection: 21%
Source: cnewton doc 08.11.2022.doc ReversingLabs: Detection: 15%
Source: cnewton doc 08.11.2022.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\cnewton doc 08.11.2022.doc
Source: cnewton doc 08.11.2022.doc OLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$ewton doc 08.11.2022.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6009.tmp Jump to behavior
Source: classification engine Classification label: mal72.expl.winDOC@1/6@0/1
Source: cnewton doc 08.11.2022.doc OLE document summary: title field not present or empty
Source: cnewton doc 08.11.2022.doc OLE document summary: author field not present or empty
Source: cnewton doc 08.11.2022.doc OLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: cnewton doc 08.11.2022.doc Initial sample: OLE zip file path = docProps/custom.xml
Source: cnewton doc 08.11.2022.doc Static file information: File size 2343230 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682599 Sample: cnewton doc 08.11.2022.doc Startdate: 11/08/2022 Architecture: WINDOWS Score: 72 14 Antivirus detection for URL or domain 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Machine Learning detection for sample 2->18 20 Document contains an embedded VBA macro with suspicious strings 2->20 5 WINWORD.EXE 18 36 2->5         started        process3 dnsIp4 12 45.8.146.139, 49171, 80 VMAGE-ASRU Russian Federation 5->12 10 C:\Users\user\AppData\Local\...\y745B.tmp.dll, HTML 5->10 dropped 22 Document exploit detected (creates forbidden files) 5->22 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.8.146.139
 unknown Russian Federation
44676 VMAGE-ASRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.8.146.139/fhfty/NH1-X8NL7CO4_YNJ-MEFY7BW9QYIJW1I/-f true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown