Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0747b743dcdaf848…

MALICIOUS

Office (OLE)

120.5 KB Created: 2015-10-06 17:48:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 2d16e2757b85a52a92bdc8a13b8a28a6 SHA-1: c489a61777c325cf1cb26797cd54278264877c23 SHA-256: 0747b743dcdaf8480b6923b8666ea7049f7562f74663786906937940f0929d7c
322 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing an embedded executable and a lure to enable content. The presence of an AutoOpen macro marker and the Ole10Native package dropping an executable strongly suggest it's designed to execute a payload upon opening. The embedded executable and the lure to enable content are key indicators of a malicious document dropper.

Heuristics 9

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    0000ED33  e800000000        call 0xed38
    0000ED38  58                pop eax
    0000ED39  87d2              xchg edx, edx
    0000ED3B  7401              je 0xed3e
    0000ED3D  90                nop
    0000ED3E  6793              xchg ebx, eax
    0000ED40  6793              xchg ebx, eax
    0000ED42  7306              jae 0xed4a
    0000ED44  81e900000000      sub ecx, 0
    0000ED4A  6623f6            and si, si
    0000ED4D  66c1c740          rol di, 0x40
    0000ED51  7707              ja 0xed5a
    0000ED53  52                push edx
    0000ED54  6a8a              push -0x76
    0000ED56  83c404            add esp, 4
    0000ED59  5a                pop edx
    0000ED5A  c1cba0            ror ebx, 0xa0
    0000ED5D  f8                clc
    0000ED5E  66a936d5          test ax, 0xd536
    0000ED62  7706              ja 0xed6a
    0000ED64  56                push esi
    0000ED65  6683e0ff          and ax, 0xffff
    0000ED69  5e                pop esi
    0000ED6A  7208              jb 0xed74
    0000ED6C  7e06              jle 0xed74
    0000ED6E  81c900000000      or ecx, 0
    0000ED74  57                push edi
    0000ED75  7b06              jnp 0xed7d
    0000ED77  55                push ebp
    0000ED78  6683e3ff          and bx, 0xffff
    0000ED7C  5d                pop ebp
    0000ED7D  5f                pop edi
    0000ED7E  56                push esi
    0000ED7F  7f04              jg 0xed85
    0000ED81  6683e2ff          and dx, 0xffff
    0000ED85  5e                pop esi
    0000ED86  55                push ebp
    0000ED87  23d2              and edx, edx
    0000ED89  5d                pop ebp
    0000ED8A  55                push ebp
    0000ED8B  7405              je 0xed92
    0000ED8D  25ffffffff        and eax, 0xffffffff
    0000ED92  5d                pop ebp
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    0000E30A  64a130000000      mov eax, dword ptr fs:[0x30]
    0000E310  89c7              mov edi, eax
    0000E312  894f08            mov dword ptr [edi + 8], ecx
    0000E315  8b470c            mov eax, dword ptr [edi + 0xc]
    0000E318  8b400c            mov eax, dword ptr [eax + 0xc]
    0000E31B  894818            mov dword ptr [eax + 0x18], ecx
    0000E31E  6800800000        push 0x8000
    0000E323  7104              jno 0xe329
    0000E325  6683e5ff          and bp, 0xffff
    0000E329  f8                clc
    0000E32A  7006              jo 0xe332
    0000E32C  55                push ebp
    0000E32D  51                push ecx
    0000E32E  0af6              or dh, dh
    0000E330  59                pop ecx
    0000E331  5d                pop ebp
    0000E332  6a00              push 0
    0000E334  89d8              mov eax, ebx
    0000E336  3500000000        xor eax, 0
    0000E33B  0bd2              or edx, edx
    0000E33D  25ffffffff        and eax, 0xffffffff
    0000E342  2500f0ffff        and eax, 0xfffff000
    0000E347  50                push eax
    0000E348  8d36              lea esi, [esi]
    0000E34A  55                push ebp
    0000E34B  7906              jns 0xe353
    0000E34D  7c04              jl 0xe353
    0000E34F  f6df              neg bh
    0000E351  f6df              neg bh
    0000E353  5d                pop ebp
    0000E354  f8                clc
    0000E355  84c0              test al, al
    0000E357  8b4228            mov eax, dword ptr [edx + 0x28]
    0000E35A  0345f8            add eax, dword ptr [ebp - 8]
    0000E35D  90                nop
    0000E35E  7807              js 0xe367
    0000E360  7705              ja 0xe367
    0000E362  53                push ebx
    0000E363  6a2b              push 0x2b
    0000E365  5b                pop ebx
    0000E366  5b                pop ebx
    0000E367  8be4              mov esp, esp
    0000E369  51                push ecx
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000d848.exe embedded-pe Office MZ+PE at offset 0xD848 68024 bytes
SHA-256: 157656790793d217ec3642b0b2765be82cb9b6f046cc593beb5900a7ce933900
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_PEB_ACCESS, SC_GETPC_CALL Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1505647964/Ole10Native 47802 bytes
SHA-256: ebb702ef44d07c63cd1f81e012617b5c0bea63bc0b34274b3e427276b1597761
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_PEB_ACCESS, SC_GETPC_CALL