Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 776d3e1a79d904e9…

MALICIOUS

Office (OLE)

328.5 KB Created: 2011-10-11 06:00:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 4509ea7a2f497a64b4c5f5c543071b8e SHA-1: bb0e09b0d0094af287fd56a8b43406d6b0059866 SHA-256: 776d3e1a79d904e9251b67b41527bb94c2974e05d7f982bd78f6f00f94e8243f
402 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

This Office document contains an embedded executable payload (MZ header detected) within an Ole10Native package. A heuristic indicates this package payload is a download-and-execute script, with the download URL identified as http://www.vietkey.net. The embedded executable, 'embedded_office_00005855.exe', is likely the second-stage payload. The document's content, appearing to be a financial or administrative notice, serves as a lure to trick the user into interacting with the malicious embedded object.

Heuristics 9

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Dropper.Agent-6523076-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6523076-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.vietkey.net Embedded OLE package script

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005855.exe embedded-pe Office MZ+PE at offset 0x5855 313771 bytes
SHA-256: 6e0bd30fa5b8cdfb828d399a632948ba2df9109750ac4c269864abc7f3c2017e
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1387797115/Ole10Native 304727 bytes
SHA-256: a16de63a740703d4cb1ac8d96027c84bdc8290b6cf799c72a603014000b989c7

Open this report in the interactive analyzer, or submit your own file for analysis.