Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5a1e2f319492f0bc…

MALICIOUS

Office (OLE)

236.0 KB Created: 2008-01-26 17:38:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 5797f1b96c669d46a2cb753a9522fff9 SHA-1: 52b77c951e600138d232e44b7560c1ab8d3c3753 SHA-256: 5a1e2f319492f0bc7e5a9fac93c46b7d60e771f7fa85389ea5bbf006521caa3f
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing an embedded PE executable and an Ole10Native package. The presence of Ole10Native suggests an attempt to exploit CVE-2026-21514, which can lead to the execution of dropped files. The embedded executable is likely a second-stage payload, and the document's content, while appearing to be educational material, is a lure to facilitate the execution of this payload.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000e02e.exe embedded-pe Office MZ+PE at offset 0xE02E 184274 bytes
SHA-256: 2aacb548405d6811a4f4f258c978832acd442087d7c13f5ee9702795be9a05b3
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_979485558/Ole10Native 41580 bytes
SHA-256: ce7d305f6faad5a19b03654aa6f1792e995da2eae7bfe2bdf54b19a1c573be2e

Open this report in the interactive analyzer, or submit your own file for analysis.