MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing an embedded executable and a lure to enable content. The presence of an AutoOpen macro marker and the Ole10Native package dropping an executable strongly suggest it's designed to execute a payload upon opening. The embedded executable and the lure to enable content are key indicators of a malicious document dropper.
Heuristics 9
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
Disassembly
Attempted x86 opcode disassembly0000ED33 e800000000 call 0xed38 0000ED38 58 pop eax 0000ED39 87d2 xchg edx, edx 0000ED3B 7401 je 0xed3e 0000ED3D 90 nop 0000ED3E 6793 xchg ebx, eax 0000ED40 6793 xchg ebx, eax 0000ED42 7306 jae 0xed4a 0000ED44 81e900000000 sub ecx, 0 0000ED4A 6623f6 and si, si 0000ED4D 66c1c740 rol di, 0x40 0000ED51 7707 ja 0xed5a 0000ED53 52 push edx 0000ED54 6a8a push -0x76 0000ED56 83c404 add esp, 4 0000ED59 5a pop edx 0000ED5A c1cba0 ror ebx, 0xa0 0000ED5D f8 clc 0000ED5E 66a936d5 test ax, 0xd536 0000ED62 7706 ja 0xed6a 0000ED64 56 push esi 0000ED65 6683e0ff and ax, 0xffff 0000ED69 5e pop esi 0000ED6A 7208 jb 0xed74 0000ED6C 7e06 jle 0xed74 0000ED6E 81c900000000 or ecx, 0 0000ED74 57 push edi 0000ED75 7b06 jnp 0xed7d 0000ED77 55 push ebp 0000ED78 6683e3ff and bx, 0xffff 0000ED7C 5d pop ebp 0000ED7D 5f pop edi 0000ED7E 56 push esi 0000ED7F 7f04 jg 0xed85 0000ED81 6683e2ff and dx, 0xffff 0000ED85 5e pop esi 0000ED86 55 push ebp 0000ED87 23d2 and edx, edx 0000ED89 5d pop ebp 0000ED8A 55 push ebp 0000ED8B 7405 je 0xed92 0000ED8D 25ffffffff and eax, 0xffffffff 0000ED92 5d pop ebp
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
Attempted x86 opcode disassembly0000E30A 64a130000000 mov eax, dword ptr fs:[0x30] 0000E310 89c7 mov edi, eax 0000E312 894f08 mov dword ptr [edi + 8], ecx 0000E315 8b470c mov eax, dword ptr [edi + 0xc] 0000E318 8b400c mov eax, dword ptr [eax + 0xc] 0000E31B 894818 mov dword ptr [eax + 0x18], ecx 0000E31E 6800800000 push 0x8000 0000E323 7104 jno 0xe329 0000E325 6683e5ff and bp, 0xffff 0000E329 f8 clc 0000E32A 7006 jo 0xe332 0000E32C 55 push ebp 0000E32D 51 push ecx 0000E32E 0af6 or dh, dh 0000E330 59 pop ecx 0000E331 5d pop ebp 0000E332 6a00 push 0 0000E334 89d8 mov eax, ebx 0000E336 3500000000 xor eax, 0 0000E33B 0bd2 or edx, edx 0000E33D 25ffffffff and eax, 0xffffffff 0000E342 2500f0ffff and eax, 0xfffff000 0000E347 50 push eax 0000E348 8d36 lea esi, [esi] 0000E34A 55 push ebp 0000E34B 7906 jns 0xe353 0000E34D 7c04 jl 0xe353 0000E34F f6df neg bh 0000E351 f6df neg bh 0000E353 5d pop ebp 0000E354 f8 clc 0000E355 84c0 test al, al 0000E357 8b4228 mov eax, dword ptr [edx + 0x28] 0000E35A 0345f8 add eax, dword ptr [ebp - 8] 0000E35D 90 nop 0000E35E 7807 js 0xe367 0000E360 7705 ja 0xe367 0000E362 53 push ebx 0000E363 6a2b push 0x2b 0000E365 5b pop ebx 0000E366 5b pop ebx 0000E367 8be4 mov esp, esp 0000E369 51 push ecx
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0000d848.exe |
embedded-pe | Office MZ+PE at offset 0xD848 | 68024 bytes |
SHA-256: 157656790793d217ec3642b0b2765be82cb9b6f046cc593beb5900a7ce933900 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_PEB_ACCESS, SC_GETPC_CALL Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1505647964/Ole10Native | 47802 bytes |
SHA-256: ebb702ef44d07c63cd1f81e012617b5c0bea63bc0b34274b3e427276b1597761 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL, SC_PEB_ACCESS, SC_GETPC_CALL
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.