Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0c78b7d640e5d3a3…

MALICIOUS

Office (OLE)

193.5 KB Created: 2016-04-19 08:06:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 66aa8ea58cab66bd35bf8aa000fd9d32 SHA-1: 37ec84ab1cbb3a864bf7b64f006b96be0f2f48e2 SHA-256: 0c78b7d640e5d3a397a75adedbfa09756dac92dd931dfd44f016ca080134b781
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing an embedded PE executable. It also contains legacy WordBasic macros, indicated by the AutoOpen marker, which are likely used to execute the embedded file. References to LoadLibrary and GetProcAddress APIs further suggest dynamic code execution. The presence of an embedded executable and macro execution points to a downloader or dropper.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000624c.exe embedded-pe Office MZ+PE at offset 0x624C 172980 bytes
SHA-256: 0f07ef72ab97a6e1d7b6d74fcf5edec0e79baca87d7b6a8207e9a746bb34ef13
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1522597816/Ole10Native 145606 bytes
SHA-256: d572a47ca1f3e7189e7873c7aa316d5f1fe2813bfe95488a4e27ad408fc31ccd

Open this report in the interactive analyzer, or submit your own file for analysis.