Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 07cc0178184d1d55…

MALICIOUS

Office (OLE) / .DOC

190.0 KB Created: 2010-03-03 20:29:00 Authoring application: Microsoft Office Word
MD5: fd6279592bfd2db37e297091243b32a2 SHA-1: 7e61cbe156d9ea417a7848d61ef81c9511e5e803 SHA-256: 07cc0178184d1d55a76aabbf9b92cf6e69b5987d47c4da4a56c807e2d7e6ae84
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The sample is a Microsoft Word document containing an embedded executable file (MZ header detected). Heuristics indicate the presence of Ole10Native packaging, which is often used to drop and execute payloads. The document body appears to be a legal document, likely a lure to trick the user into opening or interacting with the embedded malicious content. The embedded executable is the primary indicator of malicious intent.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001da04.exe
913569415064d136497097b45bd3d613e670198cdde47d48493f8ce3e0d91976		 embedded-pe Office MZ+PE at offset 0x1DA04 73212 bytes
ole10native_00.bin
c52a7ebe6d441b63da98af0100278a3cc472fd6ac91f646111b01e354eb000ae		 ole-package OLE Ole10Native stream: ObjectPool/_104678152/Ole10Native 41580 bytes
ole10native_01.bin
86b70df23e8b563241b937d4b4658c75f866c0b32e1d8e0405200b4c69344886		 ole-package OLE Ole10Native stream: ObjectPool/_75076080/Ole10Native 70532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.