Office (OOXML) malware analysis — malicious · 656d19186795280a

MALICIOUS

Office (OOXML)

375.9 KB Created: 2021-04-04 03:19:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: aa929a977ab5127320b699dfd2c9dc89 SHA-1: 563f6641d6aac897a85cf8b23f0410ec3472bd48 SHA-256: 656d19186795280a068fcb97e7ef821b55ad3d620771d42ed98d22ee3c635e67

70 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing for CVE_2026_21509 indicates the presence of the Shell.Explorer.1 CLSID within the document. This CLSID is known to be exploitable, allowing for arbitrary code execution. The presence of external hyperlinks, though benign in this case, is common in malicious documents attempting to lure users to malicious sites or trigger exploits.

Heuristics 3

CVE-2026-21509 — Shell.Explorer.1 CLSID in document critical CVE related CVE_2026_21509

Document contains CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (Shell.Explorer.1). ActiveX/embedded-object context raises confidence; plain document text is treated as related evidence.
External hyperlinks (63) low OOXML_EXTERNAL_HYPERLINKS

Document contains 63 external hyperlinks — clickable URLs are stored as external relationships. First target: https://ar.wikipedia.org/wiki/كتاب
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://ar.wikipedia.org/wiki/كتاب

Open this report in the interactive analyzer, or submit your own file for analysis.