Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4e11d1c7be8147fb…

MALICIOUS

Office (OLE) / .DOC

404.0 KB Created: 2010-03-30 12:12:00 Authoring application: Microsoft Office Word
MD5: 0922d7391343ab678099b147c27d1cd5 SHA-1: 4b9982604df7d9dfb89dca96b4e85fea833310ce SHA-256: 4e11d1c7be8147fb76b754f87a3a82316009403a90f536ea8e2611bbf213925f
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.003 Windows Command Shell

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of the embedded payload. The presence of 'OLE_EMBEDDED_EXE' and 'CVE_2026_21514' heuristics strongly points towards exploitation of OLE vulnerabilities to drop and execute a secondary payload.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000493f.exe
0aab070e5ee9bcc302b8dec8296b384059e4bba0ad97ed2fa6c76b89a04c8c76		 embedded-pe Office MZ+PE at offset 0x493F 394945 bytes
ole10native_00.bin
8d6a9f92b9b1ba66bcedad7c3d55c5d3928cf40a6c03e7b43435462838303450		 ole-package OLE Ole10Native stream: ObjectPool/_1331464566/Ole10Native 388929 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.