Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 42d6a30f6ccb7363…

MALICIOUS

Office (OOXML) / .DOC

131.0 KB Created: 2025-12-25 05:29:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: f3b4e5ba6a64d30672e7d3fc95bc26f5 SHA-1: 7a2f589f1651e0912e2af05969571e0aace34b76 SHA-256: 42d6a30f6ccb7363cd86d6064996f99e087c30d7ecbafea92ebfbdf763949350
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32 T1059.001 PowerShell

The document contains high-severity heuristics indicating it attempts to trick the user into executing commands via the clipboard and visible LOLBin instructions. The document body, while discussing CVE-2021-44228, also contains a 'TOTAL DISCLAIMER & LEGAL NOTICE' that warns against illicit use and mentions 'verbatim exploit code and Remote Code Execution (RCE) methodologies', suggesting the document itself is a lure for executing malicious commands. The presence of external hyperlinks, though benign in reputation, further supports the document's role as a delivery mechanism.

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External hyperlinks (57) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 57 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.ibm.com/id-id/think/topics/log4shell
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.