Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 785c2845af631f33…

MALICIOUS

Office (OLE) / .DOCX

20.0 KB Created: 2019-11-19 06:34:00 Authoring application: Microsoft Office Word
MD5: c4fc7abac76c14df6d4a5ede971254d8 SHA-1: ce3c31ed681b39ef2db3ab5c27f8c399f43ad443 SHA-256: 785c2845af631f33fda47b5a0fe5ccb338389b15e028e1ae7fa418d991e2c38f
260 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1204.001 User Execution: Malicious Link T1059.001 PowerShell T1218.009 System Binary Proxy Execution: Mshta

The document contains a lure to 'Enable Editing' and then double-click an embedded package, which is a common technique for malware droppers. Heuristics indicate references to PowerShell and mshta.exe, suggesting execution of malicious code. The embedded package is identified as a risky file type (bat). While a URL is present, it is marked as confirmed benign, and no scripts were extracted.

Heuristics 8

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://GoogleChromeUpdater.twilightparadox.com:448/html
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
fd389f35f9715f801c8c37212e023c4f7e1d4df9aa4dfeede53dd5d2867296d4		 ole-package OLE Ole10Native stream: ObjectPool/_1636727561/Ole10Native 699 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.