Malicious Office (OOXML) — malware analysis report

Heuristics 8

• OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
  Office document contains embedded OLE (word/embeddings/oleObject2.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
• Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
  OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
• Embedded OLE object medium OOXML_OLE_OBJECT
  Document contains an embedded OLE object
• Macro/content-enable lure medium SE_ENABLE_LURE
  Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
• External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
  Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://eway.ca/
• Fake invoice / payment lure low SE_INVOICE_LURE
  Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
• Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
  An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://corporateplatform.info/changelog.php In document text (OOXML body / shared strings)

  • http://eway.ca/Document hyperlink
  • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
  • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
  • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
  • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
  • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
  • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
  • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.