Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6ff5db127e266f84…

MALICIOUS

Office (OLE) / .DOC

183.5 KB Created: 2010-05-31 08:54:00 Authoring application: Microsoft Word 10.0
MD5: 0846d4c529e349b8c975a8dbf472cf1a SHA-1: c3c037ce7f9f223b908dd2f3da46dae7840b41db SHA-256: 6ff5db127e266f8474e7d91519b96a6ad91359b9f742b95a3a9363e02955960f
380 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Word document that leverages CVE-2007-3899, a memory corruption vulnerability, to execute arbitrary code. It also contains an embedded OLE package that is flagged as containing a risky executable payload. The document body appears to be a legitimate quotation, suggesting the lure is likely social engineering via email attachment.

Heuristics 8

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Doc.Trojan.Beast-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beast-11
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
650590fe161adc789b39026db97d0ed930d25b1453b92897d0af4f36962bfc2e		 ole-package OLE Ole10Native stream: ObjectPool/_1001395161/Ole10Native 56428 bytes
Detection
ClamAV: Doc.Trojan.Beast-11
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.