Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b0c4970f2c80e44…

MALICIOUS

Office (OLE)

126.5 KB Created: 2017-11-06 16:42:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 0047d6a5ef69bb07163665ad366cb19e SHA-1: 9e9f2647a7627f9212c97235f4d579cadfa73bf8 SHA-256: 6b0c4970f2c80e446d2bc8bd920366d99d97d3415df581ce2bac29b49fa12091
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is an OLE document that contains an Ole10Native object, which is a known method for dropping executable payloads. Heuristics indicate references to PowerShell and Windows Script Host, and the Ole10Native package is flagged as risky because it drops an auto-executable payload, identified as a VBScript. This suggests the document is designed to exploit a vulnerability and execute a malicious script.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000C4D7  40                inc eax
0000C4D8  40                inc eax
0000C4D9  40                inc eax
0000C4DA  40                inc eax
0000C4DB  40                inc eax
0000C4DC  40                inc eax
0000C4DD  40                inc eax
0000C4DE  40                inc eax
0000C4DF  40                inc eax
0000C4E0  40                inc eax
0000C4E1  40                inc eax
0000C4E2  40                inc eax
0000C4E3  40                inc eax
0000C4E4  40                inc eax
0000C4E5  40                inc eax
0000C4E6  40                inc eax
0000C4E7  40                inc eax
0000C4E8  40                inc eax
0000C4E9  40                inc eax
0000C4EA  40                inc eax
0000C4EB  40                inc eax
0000C4EC  40                inc eax
0000C4ED  40                inc eax
0000C4EE  40                inc eax
0000C4EF  40                inc eax
0000C4F0  40                inc eax
0000C4F1  40                inc eax
0000C4F2  40                inc eax
0000C4F3  40                inc eax
0000C4F4  40                inc eax
0000C4F5  40                inc eax
0000C4F6  40                inc eax
0000C4F7  40                inc eax
0000C4F8  40                inc eax
0000C4F9  40                inc eax
0000C4FA  40                inc eax
0000C4FB  40                inc eax
0000C4FC  40                inc eax
0000C4FD  40                inc eax
0000C4FE  40                inc eax
0000C4FF  40                inc eax
0000C500  40                inc eax
0000C501  40                inc eax
0000C502  40                inc eax
0000C503  40                inc eax
0000C504  40                inc eax
0000C505  40                inc eax
0000C506  40                inc eax
0000C507  40                inc eax
0000C508  40                inc eax
0000C509  40                inc eax
0000C50A  40                inc eax
0000C50B  40                inc eax
0000C50C  40                inc eax
0000C50D  40                inc eax
0000C50E  40                inc eax
0000C50F  40                inc eax
0000C510  40                inc eax
0000C511  40                inc eax
0000C512  40                inc eax
0000C513  40                inc eax
0000C514  40                inc eax
0000C515  40                inc eax
0000C516  40                inc eax
0000C517  40                inc eax
0000C518  40                inc eax
0000C519  40                inc eax
0000C51A  40                inc eax
0000C51B  40                inc eax
0000C51C  40                inc eax
0000C51D  40                inc eax
0000C51E  384040            cmp byte ptr [eax + 0x40], al
0000C521  40                inc eax
0000C522  40                inc eax
0000C523  40                inc eax
0000C524  40                inc eax
0000C525  40                inc eax
0000C526  40                inc eax
0000C527  45                inc ebp
0000C528  314642            xor dword ptr [esi + 0x42], eax
0000C52B  41                inc ecx
0000C52C  40                inc eax
0000C52D  45                inc ebp
0000C52E  40                inc eax
0000C52F  40                inc eax
0000C530  42                inc edx
0000C531  3440              xor al, 0x40
0000C533  394344            cmp dword ptr [ebx + 0x44], eax
0000C536  32                .byte 0x32

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1571473805/Ole10Native 86492 bytes
SHA-256: 49b4380856164c51e69fbe0f1b4dee458b6089225fa666d03f85587e5afde811
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Echo XvGaYTUnaFxQMecc, WScript.Echo "OEwpIfKfSKIdKnqw", WScript.Echo "sfwkePiNNsmPruKVFJ"

Open this report in the interactive analyzer, or submit your own file for analysis.