Office (OLE) malware analysis — malicious · 6f3b023b8fbe3729

MALICIOUS

Office (OLE)

111.5 KB Created: 2017-09-15 05:46:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: 697470442f7c4108ba586d86ed06b0b0 SHA-1: a525420edf7ebd0b3908b6912d17728041f45c68 SHA-256: 6f3b023b8fbe3729c1ab378233dc265a42fcc08909e6dfb0558669081d4dce87

160 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OLE document containing a malicious Ole10Native package, identified as a potential exploitation attempt for CVE-2026-21514. This package is designed to drop and execute a VBScript payload, indicating a dropper functionality. The presence of a VBScript payload strongly suggests the document is intended to deliver further malicious content.

Heuristics 3

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
ClamAV: Doc.Dropper.Agent-6349714-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6349714-0
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1566945241/Ole10Native	70775 bytes
SHA-256: `320ef5dd8386590f9aef6377072cb52ab7efac5e663ba62903406629c80d9306`

Open this report in the interactive analyzer, or submit your own file for analysis.