Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 bc89e0a88f20306b…

MALICIOUS

Office (OOXML) / .DOCX

12.8 KB Created: 2013-10-31 15:25:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: b4e5e83ae5aa20b5dfec2bc361288ef4 SHA-1: a1fb00db1f60ae14036a6f8575e33b993f03c179 SHA-256: bc89e0a88f20306b110844041c14bb60a9133ec923772471809958aa5bf25673
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment T1059.001 PowerShell

The file exploits CVE-2021-40444, a critical vulnerability in Microsoft Office, by referencing an external HTML resource hosted at http://13.234.135.58/word.html. This indicates a likely attempt to download and execute a malicious payload from a remote server. The ClamAV detection further confirms the exploit's presence. The document body itself is heavily truncated and contains only XML namespace declarations, providing no further context on the lure.

Heuristics 4

  • External OLEObject gadget — CVE-2021-40444 critical CVE exact CVE_2021_40444
    External relationship to mhtml:http://13.234.135.58/word.html!x-usc:http://13.234.135.58/word.html — exploitable external OLEObject gadget pattern for CVE-2021-40444
  • ClamAV: Doc.Exploit.CVE_2021_40444-9891528-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2021_40444-9891528-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: mhtml:http://13.234.135.58/word.html!x-usc:http://13.234.135.58/word.html
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.