Malicious Office (OLE) / .D — malware analysis report

Static analysis result for SHA-256 12447eaaa498e087…

MALICIOUS

Office (OLE) / .D

73.5 KB Created: 2010-04-16 09:23:00 Authoring application: Microsoft Office Word
MD5: 203501ac57bb8f35e0992f1bc640ecaf SHA-1: 0c6d84caf2d18425c7f14f07bbac878d61c30629 SHA-256: 12447eaaa498e08753a0eb1874b010833437bf886db8c4df0bb460d1d1562f13
462 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that contains VBA macros and an embedded executable. Heuristics indicate exploitation of CVE-2007-3899, a memory corruption vulnerability, which is used to drop and execute the embedded PE file. The document body contains Arabic text that appears to be instructions for enabling macros, suggesting a social engineering lure.

Heuristics 10

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • XOR-encoded strings (key 0xF6) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xF6: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'InternetOpenA', 'ShellExecuteA'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Win.Trojan.Agent-36383 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36383
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b519f9c00271fec7f7a6010d68159de32eef009b9024b90a5348e7204ddd934b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 368 bytes
embedded_office_000032a3.exe
e24ada24c64399ca2d0c147ab348fdaf41b0caf2fd686be71222df8d7ec8c690		 embedded-pe Office MZ+PE at offset 0x32A3 62301 bytes
Detection
ClamAV: Win.Trojan.Agent-36385
Obfuscation or payload: unlikely
ole10native_00.bin
20129dee3bb3dc306becb50247f893e9196063628846efdcc173f9f875825378		 ole-package OLE Ole10Native stream: ObjectPool/_1332922323/Ole10Native 51394 bytes
Detection
ClamAV: Win.Trojan.Agent-36383
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.