Win.Packed.Loki — Office (OOXML) malware analysis

Static analysis result for SHA-256 828803e774a6a8a4…

MALICIOUS

Office (OOXML)

440.4 KB Created: 2021-10-21 05:57:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-10-23
MD5: 978891042c401f4f06a7575d86c62533 SHA-1: 1e51fadad4f54b068a3693aec6693c78feba3ee0 SHA-256: 828803e774a6a8a421b89862344bcce0445e8f38664baa1ceea169633fb3a73a
244 Risk Score

Malware Insights

Win.Packed.Loki · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing an embedded OLE object that is flagged as containing an executable payload. ClamAV detections indicate the packed payload is likely Win.Packed.Loki. This suggests the document is designed to exploit a vulnerability, likely CVE-2026-21514, to execute the embedded malware upon opening.

Heuristics 6

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • ClamAV: Win.Packed.Loki-10037570-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Loki-10037570-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 503296 bytes
SHA-256: d4fdc394a9b5c81e03cd42f403c2f06d7a1ec2ed6913fac509bc6adc0a7f1e91
Detection
ClamAV: Win.Packed.Loki-10037570-0
Obfuscation or payload: likely
Carved artifact entropy is 7.75, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 496949 bytes
SHA-256: aec37f7a958e41a30f7621bc767815c9d3e9090b11a0adfa66ef20c19e7c01d2
Detection
ClamAV: Win.Packed.Loki-10037570-0
Obfuscation or payload: likely
Carved artifact entropy is 7.78, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5576 bytes
SHA-256: 409275941c0f1ca14b3b4d3987f57961957196185d4f61e36bff4c93d4742d3a

Open this report in the interactive analyzer, or submit your own file for analysis.