Office (OLE) malware analysis — malicious · 57c318fbc8055174

MALICIOUS

Office (OLE)

383.0 KB Created: 2007-07-09 09:22:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 591be1cd865d405c752b0b245cb5d185 SHA-1: 6ca262d9f49bdd7a2a98b6bc932d66fe582f8dc0 SHA-256: 57c318fbc8055174caed8f71c32bc5c83163bff377c97c2c6cbecb78a80a48b1

580 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1105 Ingress Tool Transfer T1055 Process Injection

The sample is an OLE document that contains an embedded executable file (embedded_office_00007877.exe). Heuristics indicate the use of Windows API functions such as WinExec, CreateProcess, VirtualAlloc, WriteProcessMemory, LoadLibrary, and GetProcAddress, which are commonly employed by malware to execute payloads and inject code. The presence of an embedded PE executable and the ClamAV detection strongly suggest this file is malicious and acts as a dropper.

Heuristics 11

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: Win.Worm.Viking-9887063-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Worm.Viking-9887063-0
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API

XOR-encoded strings (key 0x80) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x80: 'URLDownloadToFileA'

Disassembly

Attempted x86 opcode disassembly

0003E06A  d5d2              aad 0xd2
0003E06C  cc                int3
0003E06D  c4                .byte 0xc4
0003E06E  ef                out dx, eax
0003E06F  f7ee              imul esi
0003E071  ec                in al, dx
0003E072  ef                out dx, eax
0003E073  e1e4              loope 0x3e059
0003E075  d4ef              aam 0xef
0003E077  c6                .byte 0xc6
0003E078  e9ece5c100        jmp 0xc5c669
0003E07D  00ff              add bh, bh
0003E07F  ff                .byte 0xff
0003E080  ff                .byte 0xff
0003E081  ff0a              dec dword ptr [edx]
0003E083  0000              add byte ptr [eax], al
0003E085  00d5              add ch, dl
0003E087  d2cc              ror ah, cl
0003E089  cdcf              int 0xcf
0003E08B  ce                into
0003E08C  ae                scasb al, byte ptr es:[edi]
0003E08D  c4                .byte 0xc4
0003E08E  cc                int3
0003E08F  cc                int3
0003E090  0000              add byte ptr [eax], al
0003E092  ff                .byte 0xff
0003E093  ff                .byte 0xff
0003E094  ff                .byte 0xff
0003E095  ff08              dec dword ptr [eax]
0003E097  0000              add byte ptr [eax], al
0003E099  00e3              add bl, ah
0003E09B  badcb1aef4        mov edx, 0xf4aeb1dc
0003E0A0  f8                clc
0003E0A1  f4                hlt
0003E0A2  0000              add byte ptr [eax], al
0003E0A4  0000              add byte ptr [eax], al
0003E0A6  ff                .byte 0xff
0003E0A7  ff                .byte 0xff
0003E0A8  ff                .byte 0xff
0003E0A9  ff08              dec dword ptr [eax]
0003E0AB  0000              add byte ptr [eax], al
0003E0AD  00f6              add dh, dh
0003E0AF  e5f2              in eax, 0xf2
0003E0B1  df                .byte 0xdf
0003E0B2  e4ef              in al, 0xef
0003E0B4  f7ee              imul esi
0003E0B6  0000              add byte ptr [eax], al
0003E0B8  0000              add byte ptr [eax], al
0003E0BA  ff                .byte 0xff
0003E0BB  ff                .byte 0xff
0003E0BC  ff                .byte 0xff
0003E0BD  ff1a              call ptr [edx]
0003E0BF  0000              add byte ptr [eax], al
0003E0C1  00f3              add bl, dh
0003E0C3  ef                out dx, eax
0003E0C4  e6f4              out 0xf4, al
0003E0C6  f7e1              mul ecx
0003E0C8  f2                .byte 0xf2
0003E0C9  e5                .byte 0xe5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00007877.exe`	embedded-pe	Office MZ+PE at offset 0x7877	361353 bytes
SHA-256: `0c20afed72bd55f867c55f7636e058d2552a3f8ea519461bc7977f29899c2e8e`
Detection ClamAV: Win.Worm.Viking-9887063-0 Obfuscation or payload: unlikely
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1227023181/Ole10Native	205932 bytes
SHA-256: `bb8461c88f8cc55cef150b91c39a4b7ccbb3a048d02fc7d275d01855d45d33c6`
Detection ClamAV: Win.Worm.Viking-9887063-0 Obfuscation or payload: unlikely
`ole10native_01.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1227076102/Ole10Native	39705 bytes
SHA-256: `68625739a4e6d26b285bcc4b1f614ba71709cd722a21a1aaaea6a417d21fb458`
`ole10native_02.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1245506905/Ole10Native	86137 bytes
SHA-256: `26d2bcbe357a4a8829bfee59c7dd1917e82fcf3454283daac67d00be4ec4d894`

Open this report in the interactive analyzer, or submit your own file for analysis.