Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5a9bc0aefce88442…

MALICIOUS

Office (OLE) / .DOC

198.5 KB Created: 2010-07-17 19:58:00 Authoring application: Microsoft Office Word
MD5: 2569a5e673a9b8dca5310e171572c94a SHA-1: a9e90fc1223e316b584b63622190438426110b9b SHA-256: 5a9bc0aefce88442c168dfd544f9382cf4a729076d2f289823459fac74f0bac1
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1137.001 Office Application Build Process T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a Microsoft Office document that contains an embedded executable file (MZ header verified). Heuristics indicate that this is an Ole10Native package designed to drop an auto-executable payload. The document body discusses stainless steel properties and does not appear to be directly related to the embedded malicious content, suggesting a lure. The embedded executable is the primary indicator of malicious intent.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.actamat.org/article/S1359-6454%2802%2900021-6/abstract
    • http://en.wikipedia.org/wiki/Energy-dispersive_X-ray_spectroscopy
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4W0WJ0X-3&_user=10&_coverDate=10%2F31%2F2009&_alid=1278240362&_rdoc=3&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=3&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=16655ab630a4da36aaeacebad46a118d
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4T54285-1&_user=10&_coverDate=05%2F31%2F2009&_alid=1278238921&_rdoc=4&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=14&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=a9854a945d55b8f5afa3385e34093510
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4B3NMF6-1&_user=10&_coverDate=06%2F30%2F2004&_alid=1278238991&_rdoc=5&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=5&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=f696cb98a012c08b6fa13b5871039293
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TY2-48GVPC3-1&_user=10&_coverDate=07%2F31%2F2003&_alid=1278243073&_rdoc=1&_fmt=high&_orig=search&_cdi=5606&_sort=r&_docanchor=&view=c&_ct=3&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=db82391429f25e578298908ace036961
    • http://www.sciencedirect.com/science/journal/10445803
    • http://www.sciencedirect.com/science?_ob=PublicationURL&_tockey=%23TOC%235592%232008%23999409992%23690557%23FLA%23&_cdi=5592&_pubType=J&view=c&_auth=y&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=60a329fd879cf3807ca99c7be3b5cf64
    • http://www.sciencedirect.com/science/journal/13596454
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B82XX-4P5KMDB-5&_user=10&_coverDate=06%2F30%2F2007&_alid=1278244408&_rdoc=9&_fmt=high&_orig=search&_cdi=33042&_sort=r&_docanchor=&view=c&_ct=9&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=5ecabd271eb63998ad32b7ad8a398d0c
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TWS-4TVTJST-2&_user=10&_coverDate=02%2F28%2F2009&_alid=1278247150&_rdoc=9&_fmt=high&_orig=search&_cdi=5570&_sort=r&_docanchor=&view=c&_ct=882&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=96791aa23ea33a1ec620c32df96c95b8
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4Y5GXSD-3&_user=10&_coverDate=06%2F30%2F2010&_alid=1277635085&_rdoc=2&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=42&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=3149739a20d6def3af54dd6412780f4d
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4GV8STV-1&_user=10&_coverDate=12%2F31%2F2007&_alid=1277635085&_rdoc=4&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=42&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=0672aefce8a69e5cf9ef96e818a73b14
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002389e.exe
6d38bb8ace55423851e0a9121eb6657d7a94392d662e8b63af50fe4390925330		 embedded-pe Office MZ+PE at offset 0x2389E 57698 bytes
ole10native_00.bin
b20f6c21aec432399b31454e7962a58787f0382465bff1cfa9d21c8b171178d6		 ole-package OLE Ole10Native stream: ObjectPool/_1340905395/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.