First of all sorry if I am asking a trivial question.
As far as I know, XML is used for representing document structures. Can entirely static sites accepting no user inputs at all be vulnerable to XML, DTD and entity attacks?
If it happens, In what context is it possible ?
So XXE is usually seen in areas of a site which accept user input. If by static site, you mean a site that purely responds to HTTP GET requests for documents hosted on a server, then there's not really anywhere for XXE to occur.
The only scenario I could think of would be if the site processed a section of the URL or HTTP headers and included that as an entity in a request to an XML web service, but then at that point your site isn't really static!
XXE attacks are about processing malicious XML input from the user, so a static site cannot be vulnerable.
