Win.Malware.Reconyc-6982837-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 5f9d0621ccf4343f…

MALICIOUS

Office (OLE)

333.6 KB Created: 2016-10-31 23:39:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: 2eac466f37d93d69c718b9d42ccb2a3f SHA-1: e1f850c3be4f5916cbcf7bb84711ddb1de66e68c SHA-256: 5f9d0621ccf4343f330fa32145c0424f94d8d19f2a61cdc66ebc2b11592a62bd
482 Risk Score

Malware Insights

Win.Malware.Reconyc-6982837-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.003 Windows Command Shell T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded executable file (ole10native_00.bin) which is likely intended to be automatically executed upon opening. Heuristics indicate suspicious invocation of cmd.exe and references to CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of a malicious payload. The document body attempts to trick the user into opening the embedded file by presenting it as a scanned document.

Heuristics 11

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Malware.Reconyc-6982837-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Reconyc-6982837-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1539469529/Ole10Native 274440 bytes
SHA-256: 275fb70cd77dab6c628ed722caaeed48b6d7b3165e2b0fec4c6a15b5e2a8c758
Detection
ClamAV: Win.Malware.Reconyc-6982837-0
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd.exe /c echo E4E9437648EB", cmd.exe /c echo 8EA91BEDD7", cmd.exe /c ren \"%tmp%\\E4E9437648EB\" E4E9437648EB.exe" Carved artifact entropy is 7.70, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.