Win.Trojan.Truko-10 — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 3f512ed10459ef58…

MALICIOUS

Office (OLE) / .DOC

6.11 MB Created: 2010-04-04 04:46:00 Authoring application: Microsoft Office Word
MD5: 5db44f81ad14d42d4b2e2896e70206f7 SHA-1: 58db827d674e6d13a40beaca62479e5afdcc1b2f SHA-256: 3f512ed10459ef58c99c6161c75b160b4bc8cb7686ac415eed24409c1c86d884
300 Risk Score

Malware Insights

Win.Trojan.Truko-10 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious Link T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Rundll32

The file is identified as Win.Trojan.Truko-10 by ClamAV. The document body contains a lure to click an embedded image, suggesting a social engineering attack. Heuristics indicate the use of ShellExecute, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, which are common for loading and executing shellcode. The presence of Ole10Native suggests potential exploitation of CVE-2026-21514.

Heuristics 8

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Trojan.Truko-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Truko-10
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
58dc7983d77d015352f7af0a81496b586cafc23f9d57d7313cc232d2f73225ea		 ole-package OLE Ole10Native stream: ObjectPool/_1331850724/Ole10Native 6086496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.