Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4ecef0cf51b2e43a…

MALICIOUS

Office (OLE) / .DOC

128.0 KB Created: 2003-02-26 13:42:00 Authoring application: Microsoft Word 10.0
MD5: c59e08e123bff97f59c18fec6822de6f SHA-1: 5ec65ad11f44f83d3b45e0e31afc691aad8cfe9a SHA-256: 4ecef0cf51b2e43a3dc9bee5af56c1381188466f81e1f4a5ce286a55253773f4
220 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking

The file is a Microsoft Word document containing an embedded executable file. This is strongly indicative of a malicious document designed to trick the user into executing a payload. The embedded executable was detected by ClamAV as Win.Trojan.Agent-232975. The document also exhibits characteristics associated with potential exploitation of CVE-2026-21514.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-232975 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-232975
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000040c7.exe
30d8b7eead33a54fb0762bc1d0629ad5425c4a29f797beb51f63e75f5a86bdb2		 embedded-pe Office MZ+PE at offset 0x40C7 114489 bytes
Detection
ClamAV: Win.Trojan.Agent-232975
Obfuscation or payload: unlikely
ole10native_00.bin
04a1766d2c5d1bba4d08b5468f766d5dba2ee4823816a9cf373db5e45d932fb9		 ole-package OLE Ole10Native stream: ObjectPool/_1107775730/Ole10Native 114852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.