Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4895a4d70705aef6…

MALICIOUS

Office (OOXML)

12.12 MB Created: 2021-05-30 16:27:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-06-04
MD5: 19b4e79c93d4dd6ab9dbca9d61f78b9b SHA-1: e13770d5bb40d9ab99bcf4f5f3a73702bdd58e94 SHA-256: 4895a4d70705aef60c393e1d1f911a59ebfc938e8990dc50c6433ed0d308a14b
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1129 Execution through API

The file is identified as malicious by ClamAV with the signature Img.Dropper.PhishingLure-6329861-0. Static analysis reveals an embedded OLE object with indicators for CVE-2026-21514 exploitation, specifically designed to drop an executable payload. The presence of executable extensions within the OLE package further supports this finding.

Heuristics 4

  • ClamAV: Img.Dropper.PhishingLure-6329861-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6329861-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 8388608 bytes
SHA-256: 5bb5684d093c163b0b3223bdf40f0d36be5736aa8a95bcb85c3d1be55ddec66c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, CreateProcessW
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 8388608 bytes
SHA-256: 2151898f59ef386b42a671ccf035be86a98cd8b9c1001711aa79325a161c410a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, CreateProcessW Carved artifact entropy is 7.55, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5336 bytes
SHA-256: f71e0f405e2866651d60b88c37ff553fb5f26363db1998ad731435b82d1863d7
Detection
ClamAV: Img.Dropper.PhishingLure-6329861-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.