MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an OLE document containing an embedded PE executable. Heuristics indicate the potential for exploitation of CVE-2026-21514 and the dropping of an auto-executable payload. The embedded executable is the primary indicator of malicious intent, likely delivered via spearphishing.
Heuristics 7
-
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00003c82.exe |
embedded-pe | Office MZ+PE at offset 0x3C82 | 486782 bytes |
SHA-256: 5f8c0fbfbe74a828e76e965627c742e8b8e81990493635bf5404f4bd4fa418f0 |
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1132480449/Ole10Native | 482741 bytes |
SHA-256: c2d72b353384af52063e83a95e57e3b0a591f48e781371e81a77bf1acaac337f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.