Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 244b5ed919f59c42…

MALICIOUS

Office (OLE) / .DOC

2.07 MB Created: 2010-07-03 03:05:00 Authoring application: Microsoft Office Word
MD5: 5eaffc4bda6c1dd9922596cc3c204d6f SHA-1: e086ed463c2e24d3c445d427db085845a9c1160a SHA-256: 244b5ed919f59c42102f0d684f472601b629d419fc4a13da919097f943ca9133
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The document contains a lure suggesting the user open an embedded package disguised as photos. Heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress APIs, commonly used by malware to execute or load malicious code. The presence of an embedded OLE package (ole10native_00.bin) further supports the delivery of a secondary payload. The document body's Portuguese text translates to 'Embed Package A slide of my best photos. Aaah and to open it just open my photo. Kisses ;*', reinforcing the social engineering aspect.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
0073d8d1e6946423326b4b86729755732e4da2b9b65db98aac462c40959471ea		 ole-package OLE Ole10Native stream: ObjectPool/_1339620710/Ole10Native 1852532 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.