Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 594599cef1daaa0e…

MALICIOUS

Office (OLE)

363.0 KB Created: 2010-02-18 14:11:00 Authoring application: Microsoft Word 9.0
MD5: 33f079b33f4f1dbc1edacc62f24fc93e SHA-1: b0e98e7a67757da9da8e348ce4e015218c0b734c SHA-256: 594599cef1daaa0e1696a0e48e2806b6a741aad919c4369d57d8b7b4ba022290
462 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The file is an OLE document containing embedded URLs and a PE executable. Heuristics indicate the use of ShellExecute, URLDownloadToFile, LoadLibrary, and GetProcAddress, suggesting the document is designed to download and execute a secondary payload. The embedded executable, 'embedded_office_00003a70.exe', is flagged by ClamAV as Win.Trojan.Prorat-9, confirming its malicious nature. The document body itself contains references to these URLs and mentions AV-Fucker, indicating a potential social engineering lure.

Heuristics 11

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • XOR-encoded strings (key 0x55) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x55: 'VirtualAlloc'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Prorat-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Prorat-9
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://virusscan.jotti.org/images/logos/nod32.gif
    • http://virusscan.jotti.org/images/logos/panda.gif

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003a70.exe
640ab7d253362929debf6cc5f529b0d9686e4ba83baf253e9be9e1e9aa1b887a		 embedded-pe Office MZ+PE at offset 0x3A70 356752 bytes
Detection
ClamAV: Win.Trojan.Prorat-9
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
ole10native_00.bin
3a70e8c27a7982e0f14fcc892f18de899dce92e81eabf52387c57e565755ac0a		 ole-package OLE Ole10Native stream: ObjectPool/_1328011078/Ole10Native 350878 bytes
Detection
ClamAV: Win.Trojan.Prorat-9
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.