Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 287bece238b5016d…

MALICIOUS

Office (OLE)

284.5 KB Created: 2007-02-16 15:25:00 Authoring application: Microsoft Word 9.0 First seen: 2020-09-15
MD5: 0d83c09a04f9e97661699eac0ca505f4 SHA-1: f8e7549e1d512c2bcfe0181b61ae836d6ec9e547 SHA-256: 287bece238b5016dcb889aa640fd20be9ef55d8ddf7bf2d51eeaed2f99ff6ab1
362 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OLE document containing an embedded executable file (MZ header detected). Heuristics indicate this is an Ole10Native package designed to drop an auto-executable payload, specifically a .bat file. ClamAV identifies the embedded artifact as Win.Worm.Darby-7, suggesting a worm-like behavior. The embedded executable and the package itself are the primary IOCs.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Worm.Darby-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Darby-7
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00016259.exe embedded-pe Office MZ+PE at offset 0x16259 200615 bytes
SHA-256: 1e8bd54e64cff33ac13439439379c0e113c99d53b7c83517133a7dbeb742b0da
Detection
ClamAV: Win.Worm.Darby-7
Obfuscation or payload: unlikely
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1167976245/Ole10Native 111236 bytes
SHA-256: 2c04a8834dd46791014dc14e8decf5053189c360bbbc707fbd32b1e63253171a
Detection
ClamAV: Win.Worm.Darby-7
Obfuscation or payload: likely
Carved artifact entropy is 7.70, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.