Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 81cf9fe73d556483…

MALICIOUS

Office (OLE) / .DOC

122.5 KB Created: 2010-07-31 11:38:00 Authoring application: Microsoft Office Word
MD5: c52f155ff8bbd2464a193511305d376b SHA-1: ff21123b9bd5fdd3d8854df04979b89086296d85 SHA-256: 81cf9fe73d55648349d67f564d1cdab2ef1d3e038714a2fa296df7551ace2d8a
620 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is a malicious OLE document containing a VBA macro and an embedded PE executable. The 'Document_Open' macro likely initiates the execution of the embedded executable, which is detected by ClamAV as Win.Trojan.SCKeylog-20. The presence of API calls like CreateProcess, ShellExecute, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress suggests the embedded executable is designed to download and execute a second-stage payload. The 'EMBED Package' document body is a generic indicator, but the combination of heuristics and the embedded executable strongly points to a downloader or dropper.

Heuristics 14

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.SCKeylog-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.SCKeylog-20
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fba5597e7a53080eb144ffa7e26eb9613ed61d655605838f5735ca7cb723d59a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 385 bytes
embedded_office_00003236.exe
e97259d323adf89e2b8a461d556504ac1174fc837a859cb0c3035ff7ce8f5072		 embedded-pe Office MZ+PE at offset 0x3236 112586 bytes
Detection
ClamAV: Win.Trojan.SCKeylog-11
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin
45ae157edceddca98a80ff6ac757bcb3dcf702ba06262cda3afbdfd51601e5f9		 ole-package OLE Ole10Native stream: ObjectPool/_1342085086/Ole10Native 103670 bytes
Detection
ClamAV: Win.Trojan.SCKeylog-20
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.