Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 76be59c7f3118a3a…

MALICIOUS

Office (OLE)

259.5 KB Created: 2005-07-15 13:11:58 Authoring application: Microsoft Excel First seen: 2019-11-20
MD5: 3c5dfaaaf5e79a2e02462b3477a13560 SHA-1: 14a828b6eef8d2c658e4b5f774522d695f2c3189 SHA-256: 76be59c7f3118a3a52895697f485a23c1f6bcb5f932c922f8e823638e9532c3d
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE file that contains an embedded executable payload, indicated by the 'OFFICE_PACKAGE_RISKY_FILE' heuristic. The 'CVE_2026_21514' heuristic suggests exploitation of a known OLE vulnerability to achieve execution. The embedded executable is likely intended to be the primary malicious payload.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.boldonjames.com/2008/01/sie/internal/label In document text (OLE body)
    • http://www.boldonjIn document text (OLE body)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
    • http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: MBD0006AFC4/Ole10Native 41580 bytes
SHA-256: a27098c1b6a72c3a23146b58d306c1b334ba15ef295c3f15197a7bbc1a423284

Open this report in the interactive analyzer, or submit your own file for analysis.