Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 baf381721c82a773…

MALICIOUS

Office (OOXML) / .DOCX

433.2 KB Created: 2026-05-07 02:07:00 UTC Authoring application: WPS Office_12.1.0.21915_F1E327BC-269C-435d-A152-05C5408002CA First seen: 2026-06-08
MD5: 20ffa405cc1a37ea9917a3318819e059 SHA-1: 280f0a43abe9feeb483670c2a3a4da29ce78ac60 SHA-256: baf381721c82a773d465213e5c3c1020191f2354f3a622751bf3b48ecdaa8a8d
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is a malicious OOXML document containing an embedded OLE object, which in turn contains a Python script. The document body discusses Linux privilege escalation vulnerabilities (CVE-2026-43284, CVE-2026-43500) and provides instructions for checking and exploiting them, likely to trick the user into running the embedded script. The embedded Python script is identified as a potential exploit payload.

Heuristics 4

  • ClamAV: Txt.Exploit.CopyFail-10060033-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Txt.Exploit.CopyFail-10060033-1
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.wps.cn/officeDocument/2013/wpsCustomDataIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 3584 bytes
SHA-256: c60c5527e49c3bb502b672b7fffc3eb5b8c6ff9d4e30eae5d559b54d2ce03a01
Detection
ClamAV: Txt.Exploit.CopyFail-10060033-1
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1231 bytes
SHA-256: 2020b3a1e2d729f098679a202bbdf93b4a0b12fa3a988693ddaeeb47d2de8add
ooxml_oleobject_00_ole10native_00_poc.py ole-package-payload OOXML word/embeddings/oleObject1.bin Ole10Native payload: display_name=poc.py; full_path=/private/tmp/poc.py; temp_path=; def_file= 1162 bytes
SHA-256: 16800fe167cb4f9f877ac57a21d14787459daac91f0d6fa83ff1214d651cdda0
Detection
ClamAV: Txt.Exploit.CopyFail-10060033-1
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
emf_00.emf ooxml-emf OOXML EMF part: word/media/image3.emf 17256 bytes
SHA-256: 29f2d457771bbe4acc7ec7f91f792d1d07a39f232839626b188c63f74fb5a46d