Win.Dropper.Nanocore-10018817-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 33a756185f49ca9d…

MALICIOUS

Office (OOXML)

693.5 KB Created: 2018-10-15 00:37:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-02-04
MD5: 90d2b48afd3a69a14272c91fb2635497 SHA-1: f3d522d4d34209cc72de1363ba15f922477f7e6c SHA-256: 33a756185f49ca9de56e10b28fd5a0709e8be73c0e289ee667787e75c49e9318
222 Risk Score

Malware Insights

Win.Dropper.Nanocore-10018817-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious due to the presence of an embedded OLE object with Ole10Native indicators, strongly suggesting exploitation of CVE-2026-21514. ClamAV detection confirms this, identifying the payload as Win.Dropper.Nanocore-10018817-0. This indicates the document is designed to deliver and execute a secondary malicious payload.

Heuristics 5

  • ClamAV: Win.Dropper.Fareit-6682733-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Fareit-6682733-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1009664 bytes
SHA-256: dd3b9f19917a232f67d6ddaac6167e6a35131e7b55a1458525587a0236e1b463
Detection
ClamAV: Win.Dropper.Fareit-6682733-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess, CreateThread, VirtualProtect
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 999182 bytes
SHA-256: 6338fd6120cc81b058478153c1ae1aca6dd22079615e1ea1b454860df11d3760
Detection
ClamAV: Win.Dropper.Fareit-6682733-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess, CreateThread, VirtualProtect
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5324 bytes
SHA-256: d9eb8348a0036b9ec59dc5daed65932f46555ebcfb6a9cf56431bd34cab759a1

Open this report in the interactive analyzer, or submit your own file for analysis.