Win.Dropper.Formbook-10028567-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 46dae97dc1f87f66…

MALICIOUS

Office (OOXML)

516.4 KB Created: 2021-09-08 15:02:41 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2021-09-16
MD5: e77d6042ed6649374054860f9e64ac51 SHA-1: 30e1f880d1df9ac5396537b7620dc7188312721b SHA-256: 46dae97dc1f87f66719f73c81a7123bb91274131145b094814945069bc1027b1
240 Risk Score

Malware Insights

Win.Dropper.Formbook-10028567-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV as Win.Dropper.Formbook-10028567-0. Static analysis revealed an embedded OLE object with Ole10Native indicators, strongly suggesting exploitation of CVE-2026-21514. This object is packaged to drop an auto-executable payload, likely an executable file.

Heuristics 4

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (ppt/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • ClamAV: Win.Dropper.Formbook-10028567-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Formbook-10028567-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 939520 bytes
SHA-256: 3348fdecfcf3271367a703bc112720a1e0e9f2a5c578762cea104ca69e59e5f7
Detection
ClamAV: Win.Dropper.Formbook-10028567-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 929431 bytes
SHA-256: 1f903101b0b9dfffa8dfcb35453a9f1d34a79bdeab00d37c6dd5795c9c99125c
Detection
ClamAV: Win.Dropper.Formbook-10028567-0
Obfuscation or payload: unlikely