Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2f5b7fc6d042c708…

MALICIOUS

Office (OLE) / .DOC

154.5 KB Created: 2007-02-12 15:48:00
MD5: 9802674f569ecdced3a4e5145ba0a9b4 SHA-1: b71d1130006ab81e5b80e96a983e9cd89acbe842 SHA-256: 2f5b7fc6d042c708f832c0fa22512726aa600668e82d32560728c41b6d06bbd9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate potential exploitation of CVE-2026-21514 and the use of WinExec and VirtualAlloc APIs, suggesting the embedded executable is likely a payload. The document body, presented as a Linux course syllabus, serves as a lure to encourage the user to interact with the embedded malicious file.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001de2e.exe
075a260515e237c834d2c2e6c8b3e0629bee566935bb3a0abcacf34e6fdc21f7		 embedded-pe Office MZ+PE at offset 0x1DE2E 35794 bytes
ole10native_00.bin
ce7d305f6faad5a19b03654aa6f1792e995da2eae7bfe2bdf54b19a1c573be2e		 ole-package OLE Ole10Native stream: ObjectPool/_161109252/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.