MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a Microsoft Office document containing an embedded OLE object that is flagged as containing an executable payload. ClamAV detections indicate the packed payload is likely Win.Packed.Loki. This suggests the document is designed to exploit a vulnerability, likely CVE-2026-21514, to execute the embedded malware upon opening.
Heuristics 5
-
ClamAV: Win.Dropper.Nanocore-10025433-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Dropper.Nanocore-10025433-0
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 542720 bytes |
SHA-256: cbaa8e7ac4f8311af945a40353a7ff0565d9a816af3a83682545d42cb8b53dd2 |
|||
|
Detection
ClamAV:
Win.Dropper.Nanocore-10025433-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_VIRTUALPROTECT, heap spray 0x06 Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect Carved artifact entropy is 7.74, consistent with packed or encrypted content.
|
|||
ooxml_oleobject_00_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native | 536017 bytes |
SHA-256: 6a47f192bfcb56bdcab28eca613db574bc0f1e95ce8569887969a66957322410 |
|||
|
Detection
ClamAV:
Win.Dropper.Nanocore-10025433-0
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_VIRTUALPROTECT, heap spray 0x06 Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect Carved artifact entropy is 7.73, consistent with packed or encrypted content.
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: word/media/image1.emf | 5508 bytes |
SHA-256: 8dea4e02aad091784435cb62bac317e3662eed30daf41f9fdb2ab595969f6576 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.