Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 122b263c253d9970…

MALICIOUS

Office (OLE)

605.5 KB Created: 2018-05-04 02:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 8cf3561361a7142210fccd07095cf212 SHA-1: bf64193cc84599ca9e5d6bf3789eb61feea087f3 SHA-256: 122b263c253d9970bd3168f413230b0cf1d9fc65be69b07bfcacaa6d4956d2a1
482 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Office document containing an embedded PE executable. Heuristics indicate the presence of Metasploit shellcode, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is designed to download and execute a second-stage payload. The detection of CVE-2007-3899 and Ole10Native further supports exploitation and payload delivery. The embedded executable and ole10native artifact are the primary IOCs.

Heuristics 12

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Downloader.Jrat-6336393-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jrat-6336393-1
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    000562C7  fc                cld
000562C8  e882000000        call 0x5634f
000562CD  5f                pop edi
000562CE  5e                pop esi
000562CF  5b                pop ebx
000562D0  8be5              mov esp, ebp
000562D2  5d                pop ebp
000562D3  c3                ret
000562D4  8d4000            lea eax, [eax]
000562D7  53                push ebx
000562D8  56                push esi
000562D9  8bd8              mov ebx, eax
000562DB  3b5324            cmp edx, dword ptr [ebx + 0x24]
000562DE  7436              je 0x56316
000562E0  8bf2              mov esi, edx
000562E2  85f6              test esi, esi
000562E4  7518              jne 0x562fe
000562E6  33c0              xor eax, eax
000562E8  8a4318            mov al, byte ptr [ebx + 0x18]
000562EB  8b0485804d4600    mov eax, dword ptr [eax*4 + 0x464d80]
000562F2  50                push eax
000562F3  a1cc4f4600        mov eax, dword ptr [0x464fcc]
000562F8  8b00              mov eax, dword ptr [eax]
000562FA  ffd0              call eax
000562FC  8bd0              mov edx, eax
000562FE  895324            mov dword ptr [ebx + 0x24], edx
00056301  c6434401          mov byte ptr [ebx + 0x44], 1
00056305  8b4304            mov eax, dword ptr [ebx + 4]
00056308  e8ba060000        call 0x569c7
0005630D  85f6              test esi, esi
0005630F  7505              jne 0x56316
00056311  33c0              xor eax, eax
00056313  894324            mov dword ptr [ebx + 0x24], eax
00056316  5e                pop esi
00056317  5b                pop ebx
00056318  c3                ret
00056319  8bc0              mov eax, eax
0005631B  3b5028            cmp edx, dword ptr [eax + 0x28]
0005631E  7413              je 0x56333
00056320  895028            mov dword ptr [eax + 0x28], edx
00056323  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003e9b.exe embedded-pe Office MZ+PE at offset 0x3E9B 604005 bytes
SHA-256: 2503a10b00d01e1c4455d73f32dd07dd356152aa45cfe02ee88d769258e8f8fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALPROTECT, SC_STR_VIRTUALALLOC Static shellcode analysis recovered API/import strings: VirtualProtect, LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1586938555/Ole10Native 595379 bytes
SHA-256: 4b4442d78b8aa4932024c9cac68c6f4ed5ca724a9bd0b8a345278289222027a4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALPROTECT, SC_STR_VIRTUALALLOC Static shellcode analysis recovered API/import strings: VirtualProtect, LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.