Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8231b9ad89ebf783…

MALICIOUS

Office (OLE)

707.0 KB Created: 2017-07-11 09:02:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: d14a7dd2bc6b6e130d6659b0075a7084 SHA-1: 428f6a3a1a50b9880e8de65e28ffb2bcac364f2d SHA-256: 8231b9ad89ebf783c3368687ba076c20c7f294f9cd612b10cdb153e92c4e2931
400 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OLE document containing an embedded PE executable, identified by the 'OLE_EMBEDDED_EXE' heuristic. This executable is likely the primary payload, designed to be dropped and executed, potentially leveraging Metasploit shellcode as indicated by the 'SC_MSF_REVERSE' firing. The presence of 'Ole10Native' suggests a potential exploitation vector for client execution.

Heuristics 9

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Downloader.Jrat-6336393-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jrat-6336393-1
  • Metasploit reverse_tcp shellcode critical SC_MSF_REVERSE
    Metasploit reverse_tcp shellcode
    Disassembly
    Attempted x86 opcode disassembly
    0004F86F  fc                cld
0004F870  e882000000        call 0x4f8f7
0004F875  5f                pop edi
0004F876  5e                pop esi
0004F877  5b                pop ebx
0004F878  8be5              mov esp, ebp
0004F87A  5d                pop ebp
0004F87B  c3                ret
0004F87C  8d4000            lea eax, [eax]
0004F87F  53                push ebx
0004F880  56                push esi
0004F881  8bd8              mov ebx, eax
0004F883  3b5324            cmp edx, dword ptr [ebx + 0x24]
0004F886  7436              je 0x4f8be
0004F888  8bf2              mov esi, edx
0004F88A  85f6              test esi, esi
0004F88C  7518              jne 0x4f8a6
0004F88E  33c0              xor eax, eax
0004F890  8a4318            mov al, byte ptr [ebx + 0x18]
0004F893  8b0485c85c4600    mov eax, dword ptr [eax*4 + 0x465cc8]
0004F89A  50                push eax
0004F89B  a1d0e94600        mov eax, dword ptr [0x46e9d0]
0004F8A0  8b00              mov eax, dword ptr [eax]
0004F8A2  ffd0              call eax
0004F8A4  8bd0              mov edx, eax
0004F8A6  895324            mov dword ptr [ebx + 0x24], edx
0004F8A9  c6434401          mov byte ptr [ebx + 0x44], 1
0004F8AD  8b4304            mov eax, dword ptr [ebx + 4]
0004F8B0  e8ba060000        call 0x4ff6f
0004F8B5  85f6              test esi, esi
0004F8B7  7505              jne 0x4f8be
0004F8B9  33c0              xor eax, eax
0004F8BB  894324            mov dword ptr [ebx + 0x24], eax
0004F8BE  5e                pop esi
0004F8BF  5b                pop ebx
0004F8C0  c3                ret
0004F8C1  8bc0              mov eax, eax
0004F8C3  3b5028            cmp edx, dword ptr [eax + 0x28]
0004F8C6  7413              je 0x4f8db
0004F8C8  895028            mov dword ptr [eax + 0x28], edx
0004F8CB  c6402c00          mov byte ptr [eax + 0x2c], 0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000447b.exe embedded-pe Office MZ+PE at offset 0x447B 706439 bytes
SHA-256: 5ad2feca635e4c954ff9be76571b3bfe851f5a86f9e63aae241ee9250fc87c45
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1561272743/Ole10Native 701267 bytes
SHA-256: 25ea79263b2958e7354971679aa641e403680f9a3c8fb3adc63eafdb7fba14e9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_MSF_REVERSE, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryExA, VirtualAlloc, GetProcAddress, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.