Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4f3e146adb673c49…

MALICIOUS

Office (OOXML)

1.04 MB Created: 2018-04-17 01:20:53 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2018-11-13
MD5: b96bbcccbdd7c66a3e1649fa76b6b7d0 SHA-1: 0453bccb408cea45571d153df6c78d975abbbcff SHA-256: 4f3e146adb673c49caa9aacf8b1986c4143bcd01166494128085e252bbdf7bf2
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is a PowerPoint document containing an embedded OLE object, flagged as a likely exploit for CVE-2026-21514. The document body attempts social engineering by claiming McAfee protection and instructing the user to run the embedded object. The embedded OLE object is the primary indicator of malicious intent, likely serving as a payload.

Heuristics 4

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (ppt/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/exif/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 970240 bytes
SHA-256: 8dc23e46a2569057018f2a851d0890c3dad6799235f30d8f89652536cab11458
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.