Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3ed86e4a47a1223a…

MALICIOUS

Office (OOXML)

4.00 MB Created: 2021-07-06 00:01:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: b1a38c74f09fea8394816f15443c961f SHA-1: d35de189bf627d77d321d49e7deca7487cf64108 SHA-256: 3ed86e4a47a1223af842743cee86dcb4c7c4be2ea70985dbf724b084365f622e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1134.001 Access Token Manipulation: Token Impersonation/Theft

The file is an OOXML document containing an embedded OLE object with Ole10Native indicators, suggesting it is designed to exploit CVE-2026-21514. This embedded object is flagged as dropping an auto-executable payload, likely an executable file. The presence of external hyperlinks further supports a phishing or malicious content delivery vector.

Heuristics 6

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/charts/_rels/chart1.xml.rels: Gráfico no Microsoft Word
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (12) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 12 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.osetoreletrico.com.br/projecao-da-atualizacao-tecnologica-do-parque-de-iluminacao-publica-no-brasil/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.procelinfo.com.br
    • http://www.procel
    • https://www.aneel.gov.br/
    • http://www.aneel.gov.br/cedoc/ren2010414.pdf
    • https://www.epe.gov.br/
    • https://www.epe.gov.br/pt/publicacoes-dados-abertos/publicacoes/balanco-energetico-nacional-2020
    • https://www.osetoreletrico.com.br/projecao-da-atualizacao-tecnologica-do-parque-de-iluminacao-publica-no-brasil/
    • http://cdeam.ufam.edu.br/attachments/article/107/gestao_energ.pdf
    • http://www.aneel.gov.br
    • https://www.abeeolica
    • http://www.abesco.com.br
    • http://www.abgd.com.br
    • http://www.biomassabr.com/
    • http://www.abnt.org.br
    • http://www.abrapch.org.br
    • https://www.absolar.org.br
    • http://www.bndes.gov.br
    • http://www.ibam.org.br
    • http://www.ibge.gov.br
    • http://www.inee.org/eficiencia
    • http://www.inmet.gov.br/
    • http://www.inmetro.gov.br
    • http://www.epe.gov.br
    • http://www.eletrobras.com/procel
    • http://www.rce.org.br
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://schemas.microsoft.com/office/word/2006/arto
    • http://schemas.microsoft.com/office/mac/office/2008/main
    • http://schemas.microsoft.com/office/drawing/2010/main
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    +11 more URL(s)

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
995a5bb57c1e70c16d5cbe541a5e6a4ab9bbc75eb4780d5e76b06e15bb2a065e		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 45056 bytes
ooxml_oleobject_00_ole10native_00.bin
7765dd5a0e4cb0dec467922d7332b7800577f3d9dd61783166efd1c085950d0a		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 41572 bytes
emf_00.emf
63197b1b6c704597d5fbd1eb7df15c979d9d527ec61165be4b71ebf88d1bb1d9		 ooxml-emf OOXML EMF part: word/media/image21.emf 10092 bytes
emf_01.emf
d2c098657cb46d3cd374fb7e587a2db0396f1ba7c826e451957bb02e9601c4bf		 ooxml-emf OOXML EMF part: word/media/image23.emf 12224 bytes
emf_02.emf
6e60457603b63ed728f6dfac63bfff8ede7795eceb8e5dd65e3f69a229c7e886		 ooxml-emf OOXML EMF part: word/media/image20.emf 15164 bytes
emf_03.emf
d66904f32540f5813ee0f93e6c10598db49e6d0c8409344ae2c4339d9c932944		 ooxml-emf OOXML EMF part: word/media/image22.emf 15060 bytes
emf_04.emf
fab5c2771e639da1249146b2b8b0b753d51f93ab7464386684bd55e20986a6c2		 ooxml-emf OOXML EMF part: word/media/image24.emf 14752 bytes
emf_05.emf
599d81883d3a07a7a41e96b0ffec56a39ef37528267e9ff5cad67bec6cf048da		 ooxml-emf OOXML EMF part: word/media/image14.emf 14560 bytes
emf_06.emf
26d46a97c325f27d7c15518ad0f3424d423535d9fb1af7cace1772479427bbe0		 ooxml-emf OOXML EMF part: word/media/image13.emf 19152 bytes
emf_07.emf
97833983b1de7fef7712b14a4932459435b8a0af6cf71fd2f959938c72353ead		 ooxml-emf OOXML EMF part: word/media/image18.emf 14600 bytes
emf_08.emf
1a681c35be3d33f51d111cf0b365c0e6df0eba086bd7ec0ba84678d7cc49d1ce		 ooxml-emf OOXML EMF part: word/media/image12.emf 29960 bytes
emf_09.emf
1bf9f209218c17deaccfd20cb8800aa7f00f82072ff8d361af6948fd3b0f0ac1		 ooxml-emf OOXML EMF part: word/media/image26.emf 15100 bytes
emf_10.emf
5f8ed73b86d7d4b5e4ded14c7b1e124428ec2250719bb75ca5c13c569624fb50		 ooxml-emf OOXML EMF part: word/media/image25.emf 12916 bytes
emf_11.emf
7600e2bf2e1b5992fe6f1af3bdb41803608317d7ca603189333b968eb876a198		 ooxml-emf OOXML EMF part: word/media/image16.emf 16100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.