Office (OOXML) malware analysis — malicious · 09bb05993d9f6524

MALICIOUS

Office (OOXML)

432.5 KB Created: 2017-05-30 12:22:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-01-11

MD5: ec0086bc7621fb3865d46a4d0775320b SHA-1: 38bbdf46b92c7ccdaa01c3bd6291f41793d4f3e8 SHA-256: 09bb05993d9f6524bb081fd2f6974edca2f7a40fdd10e3466472cd04e4120577

162 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains an embedded OLE object with indicators of a malicious payload, specifically identified as a potential CVE-2026-21514 exploitation attempt. This heuristic, combined with the detection of a risky file type within the OLE package (an .lnk file), strongly suggests the document is designed to execute arbitrary code upon opening. The ClamAV detection further confirms its malicious nature, likely related to phishing.

Heuristics 5

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
ClamAV: Win.Phishing.Suspicious-6355520-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Phishing.Suspicious-6355520-3
Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	5632 bytes
SHA-256: `a448ce68dd06f7a34c9c211bb651e6f7025dcced27d3449ab84190b1ffc9620b`
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	3217 bytes
SHA-256: `3a0211835dab0bb21130575c0d6b8b503e829b7b1ecce00fa07333f23df250c7`
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image2.emf	5440 bytes
SHA-256: `0f369ecc971467d3072be736a4f62fab6b70534998d3aa11ad0722ad23af99b2`

Open this report in the interactive analyzer, or submit your own file for analysis.