Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 40af9626b6bd46c5…

MALICIOUS

Office (OLE)

78.5 KB Created: 2010-10-07 12:27:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 5f67af7f8f22bcaca8fc58d734873191 SHA-1: b0cc03013416bb4f38b55eb007535730c6e5084d SHA-256: 40af9626b6bd46c547e4102ae246061130e993a1cc4de6c63e03e72e8f5f86ef
282 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document that exploits CVE-2007-3899, a memory corruption vulnerability. It contains an embedded executable file (embedded_office_0000a604.exe) and an OLE package (ole10native_00.bin) which likely facilitates the execution of the embedded payload. The document body is a fabricated expense justification, a common lure for phishing attacks.

Heuristics 7

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a604.exe embedded-pe Office MZ+PE at offset 0xA604 37884 bytes
SHA-256: 05c54aebe3b64c22c33e20dd8cc3349be0ab9746c56b36001c388bb1fe562625
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1083150352/Ole10Native 41580 bytes
SHA-256: bc1eae4b13da01eb9fbfe0995b06cc45e47ff7ef93a175c8c3ce191b6bc10c16

Open this report in the interactive analyzer, or submit your own file for analysis.