Malicious Office (OLE) / .DOC — malware analysis report

Heuristics 9

• OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
  Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
• Embedded PE executable critical OLE_EMBEDDED_EXE
  MZ/PE header found inside document — possible embedded executable
• Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
  OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
• Reference to LoadLibrary API high SC_STR_LOADLIBRARY
  Reference to LoadLibrary API
• Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
  Reference to GetProcAddress API
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
  Reference to VirtualAlloc API
• Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://cisco.partnerelearning.com/Saba/Web/Main

  • http://tftpd32.jounin.net
  • https://kcteam.emea.eds.com/sites/1388/GNE-intern/Technics/documents/Internal_Training
  • https://knowledgecentre.eds.com/sites/kc6/c3/Shared%20Documents/Export%20Compliance%20Position%20-%20Capability%20Documents.doc
  • https://knowledgecentre.eds.com/Export
  • http://gn.iweb.eds.com/software/
  • http://www.cisco.com/en/US/products/ps6441/products_command_reference_chapter09186a00804ab444.html
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f33.shtml
  • http://www.heise.de/netze/lib/netzwerk-rechner.shtml
  • http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/index.htm
  • http://www.cisco.com/en/US/docs/routers/access/2600/hardware/installation/guide/2600ch1.html
  • http://www.cisco.com/public/support/tac/tools.shtml
  • https://knowledgecentre.eds.com/sites/kc6/default.aspx
  • https://knowledgecentre.eds.com/sites/kc6/c3/Shared%20Documents/Network_Glossary.htm
  • http://de.wikipedia.org/wiki/OSI-Modell
  • http://de.wikipedia.org/wiki/Address_Resolution_Protocol
  • http://de.wikipedia.org/wiki/Kollisionsdom%C3%A4ne
  • http://de.wikipedia.org/wiki/Broadcast-Dom%C3%A4ne
  • http://www.cisco.com/en/US/products/hw/switches/ps633/products_user_guide_chapter09186a008007efc8.html
  • http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a00801a886f.shtml
  • http://de.wikipedia.org/wiki/Crosskabel
  • http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a00801f5d8f.shtml
  • http://www.cisco.com/en/US/products/hw/routers/ps214/products_tech_note09186a00801f5d87.shtml
  • http://www.cisco.com/en/US/products/hw/routers/ps274/products_tech_note09186a00800b0858.shtml
  • http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml
  • http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_c2.html
  • http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml
  • http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
  • http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_svr_cfg_ps9587_TSD_Products_Configuration_Guide_Chapter.html
  • http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_client_ps9587_TSD_Products_Configuration_Guide_Chapter.html
  • http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rly_agt_ps9587_TSD_Products_Configuration_Guide_Chapter.html
  • http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml
  • http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a0080890607.shtml
  • http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/5.x/configuration/guide/channel.html
  • http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_xp/eeswcfg/masctrnk.html
  • http://standards.ieee.org/getieee802/download/802.1Q-2003.pdf
  • http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/sec_port.html
  • http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_acl_ov_guideline_ps6350_TSD_Products_Configuration_Guide_Chapter.html
  • http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080094781.shtml
  • http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/hardware/installation/guide/hgovrev.html
  • http://de.wikipedia.org/wiki/Medium_Dependent_Interface
  • http://de.wikipedia.org/wiki/RS232
  • http://cnx.org/content/m12293/latest/
  • http://www.cisco.com/en/US/docs/ios/preface/usingios.html
  • http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e9d5.shtml
  • http://tools.ietf.org/html/rfc1918
  • http://de.wikipedia.org/wiki/Private_IP-Adresse
  • http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml
  • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml

  +33 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.