Office (OOXML) malware analysis — malicious · 2f0d1c355025ca08

MALICIOUS

Office (OOXML)

318.0 KB Created: 2019-03-31 04:11:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-09-23

MD5: e934bc769216f5066d65e23214f57dcf SHA-1: 384d1aa1f606df78cf506ffc5ac39e8ea2b7e3dd SHA-256: 2f0d1c355025ca0812fa460d2ccf482281ce3943cf53749953d98580c6e36dad

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document contains an embedded OLE object with indicators of a dropped executable payload, suggesting an attempt to exploit CVE-2026-21514. The document body text, promising premium content, serves as a lure to encourage user interaction with the malicious object. The embedded OLE package is likely designed to download and execute a second-stage payload.

Heuristics 4

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	374784 bytes
SHA-256: `bc0bb845269ead41f29762ec6a8541e71f637f398d6dc00ebeb3d8d4f9ac8f38`
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	369552 bytes
SHA-256: `0bffe22b04e5e96c51244adf8e25fb96a4f2031396cac7dce08a19d86685b469`
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image1.emf	5540 bytes
SHA-256: `61413f8414a00804c1ac330ddbfcb77821d07ef0679d93871d50818e51e7285f`

Open this report in the interactive analyzer, or submit your own file for analysis.