Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 ed2b9e22aef3e545…

MALICIOUS

Office (OOXML) / .DOCX

12.4 KB Created: 2021-09-01 12:33:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: d5742309ba8146be9eab4396fde77e4e SHA-1: 8aaa79ee4a81d02e1023a03aee62a47162a9ff04 SHA-256: ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a
162 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OOXML document identified as exploiting CVE-2021-40444. It contains an external OLEObject relationship pointing to http://175.24.190.249/note.html. This indicates the document is designed to lure the user into executing malicious code by leveraging this known vulnerability. No scripts were extracted, but the exploit chain is clearly defined by the heuristics.

Heuristics 4

  • External OLEObject gadget — CVE-2021-40444 critical CVE exact CVE_2021_40444
    External relationship to mhtml:http://175.24.190.249/note.html!x-usc:http://175.24.190.249/note.html — exploitable external OLEObject gadget pattern for CVE-2021-40444
  • ClamAV: Doc.Exploit.CVE_2021_40444-9891528-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2021_40444-9891528-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: mhtml:http://175.24.190.249/note.html!x-usc:http://175.24.190.249/note.html
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://175.24.190.249/note.html!x-usc:http://175.24.190.249/note.html
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.