Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 376f2e727345a5c9…

MALICIOUS

Office (OLE)

440.5 KB Created: 2017-06-02 00:54:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: fd5b52d08a4488f478f6d5d1d17b6501 SHA-1: 44626317023fb538521e9171e18750b49f54e25c SHA-256: 376f2e727345a5c9076b74c359605a4da6d4d93f4c92b1d3ab0ea3cc3c0ca279
482 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a Microsoft Word document containing an embedded PE executable and an Ole10Native package designed to drop an auto-executable payload. Heuristics indicate references to WinExec, CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the execution of a secondary payload. The embedded executable and the Ole10Native package are the primary indicators of malicious intent, likely facilitating the execution of malware.

Heuristics 11

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT
    Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (5). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003a68.exe embedded-pe Office MZ+PE at offset 0x3A68 436120 bytes
SHA-256: e2b4e8a53a7a585a611ea69c6003c9e9b1266b7ce193b4fdfd5459a9bbd85ea0
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1129443725/Ole10Native 426520 bytes
SHA-256: 747b1729f06b7f48857273ee91968725060c7a38c7be24bd80fcd420a501a9a1

Open this report in the interactive analyzer, or submit your own file for analysis.