Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0278426533230e4d…

MALICIOUS

Office (OLE)

200.5 KB Created: 2018-11-16 08:40:00 Authoring application: Microsoft Office Word First seen: 2019-02-26
MD5: 2d605990365947096827eab9f68ff23c SHA-1: f305dd561350e9f0cca6b3fd6a2cf5a581dbe89e SHA-256: 0278426533230e4d8d5160c51c5ec4d68ae6495a7bbc6cfa08731d01c3187197
222 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that contains a critical vulnerability (CVE-2007-3899) related to malformed strings, which can lead to memory corruption and arbitrary code execution. The presence of Ole10Native suggests that the document is designed to drop and execute an embedded payload, likely an executable file. The document body content appears to be a resume, which is a common lure for spearphishing attachments.

Heuristics 6

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyPIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1515098145/Ole10Native 41572 bytes
SHA-256: 9f5e2f228b98862d554a6934ffeba585e753a77d87c5a31c5adfe87c4d17d997