Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 64cdfec0be049dd9…

MALICIOUS

Office (OLE) / .DOCX

66.5 KB Created: 2020-01-28 19:57:00 Authoring application: Microsoft Office Word
MD5: c74ac20f269fb8a542ba579d680703de SHA-1: 5e06ae982e291b4c8abfd477308aa84daf892bc7 SHA-256: 64cdfec0be049dd92388b1e5d8a5ef130907c8ea6a2a1f61564fd865892d24e8
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing an embedded OLE package. Heuristics indicate this package is designed to drop an executable payload, likely a batch file, and the document itself contains a lure to enable macros. This suggests a spearphishing attachment attack pattern aimed at executing a secondary payload.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
3c491e21b7f74d41f3fecc04d47aa9aef4e1f7dee79a53c9cac0c4c88ef03c03		 ole-package OLE Ole10Native stream: ObjectPool/_1642336401/Ole10Native 23162 bytes
ole10native_01.bin
b146986f89ad9b4e1e24e692fe016587a950e72e04bb51de1105ca5bac9730b6		 ole-package OLE Ole10Native stream: ObjectPool/_1642336402/Ole10Native 23189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.