Malicious Office (OOXML) — malware analysis report

Heuristics 9

• OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
  Office document contains embedded OLE (ppt/embeddings/oleObject3.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
• Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
  OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
  Long run of 0x40 bytes
• Embedded OLE object medium OOXML_OLE_OBJECT
  Document contains an embedded OLE object
• Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
  Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.wooyun.org/corps/中国移动
• Call-to-action shape / download button low OOXML_DOWNLOAD_SHAPE
  Document drawing contains a call-to-action phrase ('Click Here', 'Download Now', etc.) inside a shape or text box — a common visual lure used to trick users into enabling macros or visiting a malicious URL
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://211.140.12.83

  • http://www.zjmms.cn
  • http://localhost
  • http://127.0.0.1
  • http://192.168.10.220:9090
  • http://www.ebank.com/download.jsp
  • http://bank.com/transfer.do?acct=Alice&amout=1
  • http://bank.com/
  • http://siteA/updateuser.jsp?user=admin&pass=123456
  • http://some_site.com.br/get-files.jsp?file=report.pdf
  • http://some_site.com.br/get-page.jsp?home=aaa.html
  • http://some_site.com.br/some-page.jsp?page=index.html
  • http://some_site.com.br/
  • http://some_site.com.br/../../../../
  • http://www.wooyun.org/index.php
  • http://bsp.com/xss.js
  • http://bsp.com/xss.swf
  • http://163.fm/PxZHoxn
  • http://www.ipincai.com/person.do?xcase=updateEmail&coreLogonInfo.emailAddress=flyh4t%40126.com&coreLogonInfo.bakEmailAddress=&_coreLogonInfo.bakEnableFlag=on
  • http://www.wooyun.org/corps/中国移动
  • http://163.fm/PxZHoxn?id=
  • http://www.2kt.cn/images/t.js
  • http://www.abc.com/user/changeinfo.jsp
  • http://www.abc.com/download.jsp?filename=
  • http://www.abc.com/a.jsp?username=abc;exec
  • http://www.owasp.org
  • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • http://weibo.com/pub/star
  • http://weibo.com/pub/star/g/xyyyd%22%3E%3Cscript%20src=//www.2kt.cn/images/t.js%3E%3C/script%3E?type=update
  • http://weibo.com/pub/star/g/xyyyd
  • http://weibo.com/mblog/publish.php?rnd=
  • http://weibo.com/attention/aj_addfollow.php?refer_sort=profile&atnId=profile&rnd=
  • http://weibo.com/
  • http://weibo.com/message/addmsg.php?rnd=
  • http://weibo.com/pub/topic

Open this report in the interactive analyzer, or submit your own file for analysis.