Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 851bf4ab807fc9b2…

MALICIOUS

Office (OOXML)

12.9 KB Created: 2021-04-15 11:03:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: dbd8bf06b69d9f4457f55e244d2f4f03 SHA-1: 13e7bd7d1ddc44e3045c00375987056a2d882757 SHA-256: 851bf4ab807fc9b29c9f6468c8c89a82b8f94e40474c6669f105bce91f278fdb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious OOXML document that leverages the CVE-2026-21509 vulnerability. This is evidenced by the critical heuristic firing indicating the presence of the Shell.Explorer.1 CLSID, which is commonly used to embed ActiveX controls for exploitation. The document body contains text related to law enforcement actions in Uzbekistan, which may serve as a lure, but the primary malicious functionality is the exploitation of the embedded ActiveX control.

Heuristics 2

  • CVE-2026-21509 — Shell.Explorer.1 CLSID in document critical CVE related CVE_2026_21509
    Document contains CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (Shell.Explorer.1). ActiveX/embedded-object context raises confidence; plain document text is treated as related evidence.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.