Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4c8f65340d6aee29…

MALICIOUS

Office (OLE)

125.0 KB Created: 2006-02-01 13:57:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 903596b6a8027d64f94ba5cecf5fa656 SHA-1: 0dbda74c6a88f5c402349092743957c394fcc450 SHA-256: 4c8f65340d6aee298031599dd81bd1aed9d5c58069947c621ae8832dd79d0011
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OLE document containing an embedded executable payload, indicated by the 'OFFICE_PACKAGE_RISKY_FILE' heuristic. The document body presents itself as a contract addendum, a common lure for phishing attacks. The presence of Ole10Native suggests an attempt to exploit vulnerabilities like CVE-2026-21514 for client execution.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_988790825/Ole10Native 41580 bytes
SHA-256: 850ce4d0f4553aeedefe53c03a8f9865990d561e01e43ae93e29e0d76bf57372