MALICIOUS
602
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute arbitrary code. It contains an embedded OLE package that drops a PE executable. The embedded script within the OLE package is designed to download and execute a second-stage payload, indicated by the presence of CreateProcess, ShellExecute, LoadLibrary, and GetProcAddress API calls. The document also attempts to lure the user into executing commands via the clipboard and requests sensitive recovery information.
Heuristics 14
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPERThe OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
PEB access via GS segment (x64) high SC_PEB_ACCESS_X64PEB access via GS segment (x64)
Disassembly
Attempted x86 opcode disassembly00082026 65488b042560000000 mov rax, qword ptr gs:[0x60] 0008202F 8b90bc000000 mov edx, dword ptr [rax + 0xbc] 00082035 c1ea08 shr edx, 8 00082038 f6c201 test dl, 1 0008203B 7511 jne 0x8204e 0008203D ff15ae1d0100 call qword ptr [rip + 0x11dae] 00082043 488bc8 mov rcx, rax 00082046 8bd3 mov edx, ebx 00082048 ff157b1c0100 call qword ptr [rip + 0x11c7b] 0008204E 8bcb mov ecx, ebx 00082050 e80c000000 call 0x82061 00082055 8bcb mov ecx, ebx 00082057 ff15ac1b0100 call qword ptr [rip + 0x11bac] 0008205D cc int3 0008205E cc int3 0008205F cc int3 00082060 cc int3 00082061 48895c2408 mov qword ptr [rsp + 8], rbx 00082066 57 push rdi 00082067 4883ec20 sub rsp, 0x20 0008206B 488364243800 and qword ptr [rsp + 0x38], 0 00082071 4c8d442438 lea r8, [rsp + 0x38] 00082076 8bf9 mov edi, ecx 00082078 488d155a380300 lea rdx, [rip + 0x3385a] 0008207F 33c9 xor ecx, ecx 00082081 ff .byte 0xff 00082082 15 .byte 0x15 00082083 92 xchg edx, eax 00082084 1b01 sbb eax, dword ptr [rcx]
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.usertrust.com0 Embedded OLE package script
- https://secure.comodo.net/CPS0FEmbedded OLE package script
- http://ocsp.comodoca.com0Embedded OLE package script
- http://ts-ocsp.ws.symantec.com07In document text (OLE body)
- http://ocsp.thawte.com0In document text (OLE body)
- http://www.chiark.greenend.org.uk/~sgtatham/putty/Embedded OLE package script
- http://schemas.microsoft.com/SMI/2005/WindowsSettingsEmbedded OLE package script
- http://crl.usertrust.com/AddTrustExternalCARoot.crl05Embedded OLE package script
- http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0wEmbedded OLE package script
- http://crt.comodoca.com/COMODOSHA256CodeSigningCA.crt0$Embedded OLE package script
- http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
- http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://www.chiark.greenend.org.uk/~sgtatham/putty/0In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_000044a1.exe |
embedded-pe | Office MZ+PE at offset 0x44A1 | 837983 bytes |
SHA-256: 208823bf896370fa3bfe6b13ad6e975b5c4b6392e65c1c5f4aeb833e0dfe38df |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, ShellExecuteA, GetProcAddress, CreateProcessA, CreateThread, LoadLibraryA
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1619344815/Ole10Native | 829757 bytes |
SHA-256: f1f59f977d920b61f0dc70f71d642c950cd048ddbbe6da301c6f3996c58be2de |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, ShellExecuteA, GetProcAddress, CreateProcessA, CreateThread, LoadLibraryA
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.