Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 43eeedd8e62b1d41…

MALICIOUS

Office (OLE)

273.5 KB Created: 2009-11-13 17:23:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: e92b10a602aedc57109b246f5ee04e17 SHA-1: 8fca22032b6825cbcb471410eff3c8af216a35e4 SHA-256: 43eeedd8e62b1d41edd2ee9e96a8b28c4b633ac87b2f680bcb1b7437bd2a93b3
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded PE executable, identified by the 'OLE_EMBEDDED_EXE' and 'OFFICE_PACKAGE_RISKY_FILE' heuristics. The document body presents a fake exercise requiring the user to click a button to record, which likely triggers the execution of the embedded payload. The presence of ShellExecute, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress API calls further indicates malicious activity, likely related to the execution and manipulation of the embedded payload.

Heuristics 8

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c2a9.exe embedded-pe Office MZ+PE at offset 0x1C2A9 164695 bytes
SHA-256: 870dfa50010014451de711c4bee0b147c64991a35459cd91bdda7f10d6a2c283
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1315832357/Ole10Native 131755 bytes
SHA-256: 6bf0beece275a75f29d1f8022a4237e145851622d9c1a31fe252814faa7734e5

Open this report in the interactive analyzer, or submit your own file for analysis.