Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4396e0a48b2c6461…

MALICIOUS

Office (OLE) / .DOC

2.14 MB Created: 2000-01-30 00:04:00 Authoring application: Microsoft Word 8.0
MD5: 4e4a756aa37db83ea36f4abb4895d33f SHA-1: 590ad5fa372e7f678159c8e3551f65f379eadac3 SHA-256: 4396e0a48b2c6461baa9d2489caecb130cccfc6b7c270c234da5b3d2d485e3db
200 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1204.002 Malicious File T1059.001 PowerShell

The sample contains an embedded PE executable, indicating it is a dropper. Heuristics suggest exploitation of OLE objects, potentially CVE-2026-21514, to execute this payload. The document body, a manual for 'Easy Pay Plus', appears to be a lure to disguise the malicious intent. The embedded executable is the primary indicator of malicious activity.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_001d3404.exe
7da48b91a1993cb44e129446617f38f81efb7bbea7614e125cf6417e875d5719		 embedded-pe Office MZ+PE at offset 0x1D3404 326652 bytes
ole10native_00.bin
b3376d5c89102a57be66c9d2f55e45236ac9afa9e167d7e12ab9ea7bdfe44ec3		 ole-package OLE Ole10Native stream: ObjectPool/_1009993502/Ole10Native 152740 bytes
ole10native_01.bin
3efe77dcb72caa536976e4d4637ea578796c599da7f1e3ff4b0827eb48a24265		 ole-package OLE Ole10Native stream: ObjectPool/_952673933/Ole10Native 45316 bytes
ole10native_02.bin
93d710f38918b1dffa1650fbe232a191277f0072b0d8f064c32dd71b18ffc2a3		 ole-package OLE Ole10Native stream: ObjectPool/_978888680/Ole10Native 116612 bytes
ole10native_03.bin
7e14875d01e2b96350b4de55d7506bfb15fd0a13acd6f5594ef6f524bed05ef0		 ole-package OLE Ole10Native stream: ObjectPool/_981364704/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.