Doc.Dropper.Agent-7119667-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 5600cfc427a7859f…

MALICIOUS

Office (OLE)

703.0 KB Created: 2014-12-02 03:30:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 89fd244336cdb8fab0527609ca738afb SHA-1: 115f78c3c835b068a9c93a3ae3334005596e0c67 SHA-256: 5600cfc427a7859fc791734b6a0b5a94a70edac87d3ff72bb3b1dd908c263759
422 Risk Score

Malware Insights

Doc.Dropper.Agent-7119667-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 to drop and execute a payload. The embedded OLE package, identified as ole10native_00.bin, contains an executable file. The document body prompts the user to 'Enable Editing' to open a resume, which is a common lure for malicious documents. The payload is likely a downloader, as indicated by the combination of ShellExecute, GetProcAddress, and network-fetch markers.

Heuristics 10

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Dropper.Agent-7119667-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7119667-0
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    00097EFD  e800000000        call 0x97f02
00097F02  58                pop eax
00097F03  055a0b0000        add eax, 0xb5a
00097F08  8b30              mov esi, dword ptr [eax]
00097F0A  03f0              add esi, eax
00097F0C  2bc0              sub eax, eax
00097F0E  8bfe              mov edi, esi
00097F10  66ad              lodsw ax, word ptr [esi]
00097F12  c1e00c            shl eax, 0xc
00097F15  8bc8              mov ecx, eax
00097F17  50                push eax
00097F18  ad                lodsd eax, dword ptr [esi]
00097F19  2bc8              sub ecx, eax
00097F1B  03f1              add esi, ecx
00097F1D  8bc8              mov ecx, eax
00097F1F  57                push edi
00097F20  51                push ecx
00097F21  49                dec ecx
00097F22  8a443906          mov al, byte ptr [ecx + edi + 6]
00097F26  880431            mov byte ptr [ecx + esi], al
00097F29  75f6              jne 0x97f21
00097F2B  2bc0              sub eax, eax
00097F2D  ac                lodsb al, byte ptr [esi]
00097F2E  8bc8              mov ecx, eax
00097F30  80e1f0            and cl, 0xf0
00097F33  240f              and al, 0xf
00097F35  c1e10c            shl ecx, 0xc
00097F38  8ae8              mov ch, al
00097F3A  ac                lodsb al, byte ptr [esi]
00097F3B  0bc8              or ecx, eax
00097F3D  51                push ecx
00097F3E  02cd              add cl, ch
00097F40  bd00fdffff        mov ebp, 0xfffffd00
00097F45  d3e5              shl ebp, cl
00097F47  59                pop ecx
00097F48  58                pop eax
00097F49  8bdc              mov ebx, esp
00097F4B  8da46c90f1ffff    lea esp, [esp + ebp*2 - 0xe70]
00097F52  51                push ecx
00097F53  2bc9              sub ecx, ecx
00097F55  51                push ecx
00097F56  51                push ecx
00097F57  8bcc              mov ecx, esp
00097F59  51                push ecx
00097F5A  668b17            mov dx, word ptr [edi]
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1480742349/Ole10Native 678283 bytes
SHA-256: e292da33a5789cc355893d1f4f270bdcf61a808b3acc2a52d1321ff61db5e4d5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_STR_SHELLEXEC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, shell32.dll, KERNEL32.DLL, ADVAPI32.DLL, GetProcAddress Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.