Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1415d31291d0e40b…

MALICIOUS

Office (OLE)

144.5 KB Created: 2015-07-27 16:30:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 40b0be6029d17d9056382046cb44a046 SHA-1: afbdd21698542c3e490c96bfd6e222805f82d58e SHA-256: 1415d31291d0e40b0f03ca089aff98a2a622732fc2927028f8c7f4bbaef218e7
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded PE executable and an Ole10Native object, indicating it is designed to drop and execute a payload. Heuristics for WinExec and VirtualAlloc APIs suggest the dropped executable will likely perform system-level operations. The presence of an embedded executable strongly suggests a malicious intent to deliver a secondary stage payload.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001662e.exe embedded-pe Office MZ+PE at offset 0x1662E 56274 bytes
SHA-256: f63b35d774543dae0e20a753e2fa1cb82615784e5e46b90765efc9ef4e2789cf
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_979485558/Ole10Native 41580 bytes
SHA-256: ce7d305f6faad5a19b03654aa6f1792e995da2eae7bfe2bdf54b19a1c573be2e

Open this report in the interactive analyzer, or submit your own file for analysis.