Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2ef16308e1f35e38…

MALICIOUS

Office (OLE) / .DOC

782.0 KB Created: 2010-03-27 00:08:00 Authoring application: Microsoft Office Word
MD5: 913a93825ec59612348297489ce24bb2 SHA-1: 6f4db2e9b79072ae393c70478b8cfb03aa17efd6 SHA-256: 2ef16308e1f35e387d309a4f62a261b67fd181a970fe07c1619d11feb809df2b
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The document contains a lure for a password-protected archive, a common tactic to bypass gateway security. It also embeds a PE executable, identified as malicious. The heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress, suggesting the execution of the embedded payload. The document body itself is minimal, providing a generic lure.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00025dd3.exe
f564c74eb7d7678c6d37723349d6fe9224379fb24a05a464c9b8229748d0f1fb		 embedded-pe Office MZ+PE at offset 0x25DD3 645677 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ole10native_00.bin
b7d86e03241ab740d686c8e81803d436377bbaecb5c6fa569b0759e820d48af9		 ole-package OLE Ole10Native stream: ObjectPool/_1331142922/Ole10Native 728314 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.