Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 2943fbf0582b3cb9…

MALICIOUS

Office (OOXML) / .DOC

2.3 KB First seen: 2026-02-20
MD5: a8a8267a1beaace1e4e11a452a2905ff SHA-1: ac1073cedefa643588fc211c06d83699677ba7d0 SHA-256: 2943fbf0582b3cb9ab987554d7a1c26f094159e550bdc0d19764166b3e1d1881
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The sample is an OOXML document containing an embedded OLE object. Heuristics indicate this object is associated with CVE-2026-21509, a vulnerability that allows for arbitrary code execution. The document body confirms this is a Proof of Concept for exploiting this CVE via an embedded OLE object.

Heuristics 2

  • CVE-2026-21509 exploit — vulnerable OLE CLSID in embedded object high CVE related CVE_2026_21509
    Embedded OLE object contains the CLSID associated with CVE-2026-21509 (OLE/COM Killbit/Protected View bypass). Actively exploited in the wild.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9789507d9e799809d265f576daaee370f135e2d9130c7fb6639ec970b7ae37c2		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleDummy.bin 1024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.