Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 158f5f2c4cab2186…

MALICIOUS

Office (OLE) / .EXE

105.5 KB Created: 2010-07-02 13:23:00 Authoring application: Microsoft Office Word
MD5: 89bdc357666428fd28e4791d7050aa95 SHA-1: c4fff2db4377b3a294b3e345690f148ecc42c4db SHA-256: 158f5f2c4cab2186c0a9e1456b1e0e9b2e685fec59987e34d12af365d9e23cf4
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely a loader or dropper. The presence of an embedded executable within an Office document strongly suggests a spearphishing attachment attack vector, aiming to trick the user into executing the payload.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003265.exe
1e5287d8ba427cfecaf93297493058d2cf5a26acdfbdc2a3d20a1f6f546bdd6c		 embedded-pe Office MZ+PE at offset 0x3265 95131 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
ole10native_00.bin
5df4d757a23a90b4f0c710dde596ad8bf5727b6544dd28ef21211c4506b7b03a		 ole-package OLE Ole10Native stream: ObjectPool/_1339564384/Ole10Native 91239 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.75, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.