Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 5b85dbe49b8bc1e6…

MALICIOUS

Office (OOXML) / .DOCX

13.0 KB Created: 2021-08-24 13:28:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 265be11d746a90d8b6a6f9eda1d31fb7 SHA-1: 1a528a5964cd18d8ce7a47e69e30ef1163407233 SHA-256: 5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample exploits CVE-2021-40444 using an external OLEObject gadget, as indicated by critical heuristic firings. This vulnerability allows for the execution of arbitrary code, likely leading to the download and execution of a second-stage payload from the embedded URL. The document's structure and the presence of external relationships further support this exploit vector.

Heuristics 4

  • External OLEObject gadget — CVE-2021-40444 critical CVE exact CVE_2021_40444
    External relationship to mhtml:http://hidusi.com/e273caf2ca371919/mountain.html!x-usc:http://hidusi.com/e — exploitable external OLEObject gadget pattern for CVE-2021-40444
  • ClamAV: Doc.Exploit.CVE_2021_40444-9891528-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2021_40444-9891528-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: mhtml:http://hidusi.com/e273caf2ca371919/mountain.html!x-usc:http://hidusi.com/e273caf2ca371919/mountain.html
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hidusi.com/e273caf2ca371919/mountain.html!x-usc:http://hidusi.com/e
    • http://hidusi.com/e273caf2ca371919/mountain.html!x-usc:http://hidusi.com/e273caf2ca371919/mountain.html
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.