Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 366605b45bf1ed79…

MALICIOUS

Office (OLE)

273.5 KB Created: 2017-08-01 21:18:00 Authoring application: Microsoft Office Word First seen: 2017-08-08
MD5: 320267db4557e19b990dc58843f5eee4 SHA-1: a605d9d51d900120398f3c801ce4e314fa82301e SHA-256: 366605b45bf1ed794cf18d63c92072f6fac4df9c77db56abb57a61d5ff321daa
382 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2007-3899 to drop an embedded PE executable. The document body suggests a compatibility pack lure to encourage user interaction with the embedded object. The presence of ShellExecute and LoadLibrary API calls, along with an embedded PE executable, indicates the file's intent to execute a malicious payload. The document also contains a password-protected archive lure, commonly used to bypass security controls.

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000036b5.exe embedded-pe Office MZ+PE at offset 0x36B5 266059 bytes
SHA-256: 785eb438ef8c58f25cf2993e4f3ac293987eb710df21565564d4aadfd1001fab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1563131045/Ole10Native 261833 bytes
SHA-256: 2f6f975c0849bf3dd1ea03056faaa60c02ea5f59031cdd0bf27b6cd9062887ea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.59, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.