Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4667ffefd92ffdf7…

MALICIOUS

Office (OLE)

102.0 KB Created: 2004-04-12 15:40:00 Authoring application: Microsoft Word 9.0 First seen: 2017-09-14
MD5: 4fe91d04d1b2c5a20b8a201fdfe0f6af SHA-1: e12ee1b2c253fa215f52e2d5529e5fb58044e129 SHA-256: 4667ffefd92ffdf79727a6b733afeb2fb467afd70791754661a0027d560f2f36
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded executable file (MZ header detected). Heuristics indicate that this embedded file is an auto-executable payload, likely dropped via Ole10Native. The document body, disguised as an academic course announcement, serves as a lure to encourage the user to interact with the embedded malicious content. The presence of WinExec and VirtualAlloc API references suggests the embedded executable is designed to run and allocate memory.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000d604.exe embedded-pe Office MZ+PE at offset 0xD604 49660 bytes
SHA-256: c6ca6d4f5297e00a19191c285155c31224cd1901c9cba9898ccb7ba8c89d9662
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1143543815/Ole10Native 41572 bytes
SHA-256: f6c7609f84b41508f3fe22fea004eeed9791be4148c0a47d3f338d913edcf79f

Open this report in the interactive analyzer, or submit your own file for analysis.