Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 15ab777e81b00ca6…

MALICIOUS

Office (OOXML)

746.2 KB Created: 2021-07-29 22:35:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 289f765202b99073dbb4669c6e8b029f SHA-1: 63b8155ba225ce34c6768c57d99f3fb5c8a0b0b2 SHA-256: 15ab777e81b00ca69704187f3bd74ce6c9d12f7b79dd8a4dce4ce0d430975276
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing an embedded OLE object that is flagged as containing an executable payload. ClamAV detections indicate the dropped artifact is a packed Windows executable, likely Win.Packed.Taskun-9883719-0. This suggests the document is designed to exploit a vulnerability to execute arbitrary code, consistent with a spearphishing attachment.

Heuristics 6

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Win.Packed.Taskun-9883719-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Taskun-9883719-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a7f42572492d1e83d941238182ddae4e78b3c71b13743c50deee8fd6ce66ba14		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1051136 bytes
Detection
ClamAV: Win.Packed.Taskun-9883719-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin
59417e3a967c3e2882d3143e6d6d47ea29cd4002d82709d9b1949c3e7e5b90ff		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1039885 bytes
Detection
ClamAV: Win.Packed.Taskun-9883719-0
Obfuscation or payload: unlikely
emf_00.emf
2d5317f06523c6f34a363fe5b03e75c3866a3311af76ee401114886172bbd52f		 ooxml-emf OOXML EMF part: word/media/image1.emf 5384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.