Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7441660572674ccd…

MALICIOUS

Office (OLE)

86.0 KB Created: 2010-02-04 13:36:00 Authoring application: Microsoft Word 9.0
MD5: 8f4ea0c6e98d7ed685ad84263770705a SHA-1: 6b7d0917d7c52706d0c18fe8fdc84f1ecd2103e1 SHA-256: 7441660572674ccdca607ed151736affb58b612ac55d1790d1e7e31ef6e7827f
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded PE executable, identified by the 'OLE_EMBEDDED_EXE' heuristic. The 'OFFICE_PACKAGE_RISKY_FILE' heuristic further indicates that the Ole10Native package is designed to drop an auto-executable payload. The presence of WinExec and VirtualAlloc API references suggests the embedded executable is likely to perform malicious actions such as downloading and executing further stages or establishing persistence.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.terrassa.cat/firamodernista

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000be04.exe
6c5a28dc5afcc373182d84576f73824ba03ba454284abe75a7a033ef0566ccb9		 embedded-pe Office MZ+PE at offset 0xBE04 39420 bytes
ole10native_00.bin
d15641a6318934c4b635225640501aa020db3d776988327debb404ce27e1b1b4		 ole-package OLE Ole10Native stream: ObjectPool/_1009867771/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.