Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0c58c679d9b31184…

MALICIOUS

Office (OLE)

208.5 KB Created: 1999-09-17 01:19:00 Authoring application: Microsoft Word 8.0 First seen: 2018-04-30
MD5: 65d2296a4f6e2b96dcee6684a3b0815e SHA-1: 66b16f4de60279eb40e4b4a01387c8f66c0e2087 SHA-256: 0c58c679d9b311840a4ed72247fc550bffb303eae7db099ea5973c704f879286
260 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded PE executable, identified by the 'OLE_EMBEDDED_EXE' and 'OFFICE_PACKAGE_RISKY_FILE' heuristics. The presence of 'WinExec' and 'VirtualAlloc' API references suggests the embedded executable is intended to be executed. The document body itself appears to be a benign academic paper, indicating the malicious payload is likely delivered via the embedded executable rather than the document content.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001e804.exe embedded-pe Office MZ+PE at offset 0x1E804 88572 bytes
SHA-256: 414943c8f80708257c6f5ec25fbc2e85aebc282d066e827e5f453ca41237b2d8
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_981968951/Ole10Native 41580 bytes
SHA-256: ca16b1bb03d33dbf671189a37f838fedb9cd108aa8dbcc9882f38a0a9a40024a
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_981969221/Ole10Native 41580 bytes
SHA-256: ea6c88f27d3896195fb4223b2a6e5883b516a21eeb79b143b22498140ba826cc

Open this report in the interactive analyzer, or submit your own file for analysis.