Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 16ad8298e642d524…

MALICIOUS

Office (OLE)

719.0 KB Created: 2014-12-02 03:31:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: dcadfe8c1da9616b69b1101e7980f263 SHA-1: 0af9358126f957efd60ff9b89e7d35d0c2710998 SHA-256: 16ad8298e642d524e4d113a87fbb69fb15d8ef90056d860155041c6f0b12d189
482 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 to execute arbitrary code. It leverages an embedded OLE package containing a script that downloads and executes a second-stage payload, identified as an EXE file. The embedded URLs suggest an attempt to fetch the payload from potentially compromised or malicious sources.

Heuristics 10

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Packed.Delf-9864759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Delf-9864759-0
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    000988E3  e800000000        call 0x988e8
000988E8  58                pop eax
000988E9  055a0b0000        add eax, 0xb5a
000988EE  8b30              mov esi, dword ptr [eax]
000988F0  03f0              add esi, eax
000988F2  2bc0              sub eax, eax
000988F4  8bfe              mov edi, esi
000988F6  66ad              lodsw ax, word ptr [esi]
000988F8  c1e00c            shl eax, 0xc
000988FB  8bc8              mov ecx, eax
000988FD  50                push eax
000988FE  ad                lodsd eax, dword ptr [esi]
000988FF  2bc8              sub ecx, eax
00098901  03f1              add esi, ecx
00098903  8bc8              mov ecx, eax
00098905  57                push edi
00098906  51                push ecx
00098907  49                dec ecx
00098908  8a443906          mov al, byte ptr [ecx + edi + 6]
0009890C  880431            mov byte ptr [ecx + esi], al
0009890F  75f6              jne 0x98907
00098911  2bc0              sub eax, eax
00098913  ac                lodsb al, byte ptr [esi]
00098914  8bc8              mov ecx, eax
00098916  80e1f0            and cl, 0xf0
00098919  240f              and al, 0xf
0009891B  c1e10c            shl ecx, 0xc
0009891E  8ae8              mov ch, al
00098920  ac                lodsb al, byte ptr [esi]
00098921  0bc8              or ecx, eax
00098923  51                push ecx
00098924  02cd              add cl, ch
00098926  bd00fdffff        mov ebp, 0xfffffd00
0009892B  d3e5              shl ebp, cl
0009892D  59                pop ecx
0009892E  58                pop eax
0009892F  8bdc              mov ebx, esp
00098931  8da46c90f1ffff    lea esp, [esp + ebp*2 - 0xe70]
00098938  51                push ecx
00098939  2bc9              sub ecx, ecx
0009893B  51                push ecx
0009893C  51                push ecx
0009893D  8bcc              mov ecx, esp
0009893F  51                push ecx
00098940  668b17            mov dx, word ptr [edi]
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 Embedded OLE package script
    • http://ts-ocsp.ws.symantec.com07Embedded OLE package script
    • http://crl.thawte.com/ThawteTimestampingCA.crl0Embedded OLE package script
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0Embedded OLE package script
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0Embedded OLE package script

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1479086401/Ole10Native 684517 bytes
SHA-256: b8922feb2d64f9d2fa15e7ff3e4f37077c7be0f74e28e696bc2426431be75c4f
Detection
ClamAV: Win.Packed.Delf-9864759-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_STR_SHELLEXEC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, shell32.dll, KERNEL32.DLL, ADVAPI32.DLL, GetProcAddress Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.