Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 869057252cb67652…

MALICIOUS

Office (OLE) / .DOC

21.0 KB Created: 2021-02-28 23:32:00 Authoring application: Microsoft Office Word
MD5: e582f3f495cbd17ca0c4a63e3ee8d7db SHA-1: b88568044209fa55be290015f924baebb89c857c SHA-256: 869057252cb67652a89248a497806609871fa551b4dac8112d6f12da9773bc81
302 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The sample is a malicious Office document containing an embedded OLE package. This package is identified as a download-and-execute script that fetches a .bat file from 'http://159.89.238.15/new.bat'. The document also contains heuristics indicating the use of cmd.exe and PowerShell, and a lure to enable macros. The embedded script likely attempts to download and execute a second-stage payload, establishing a foothold on the victim's system.

Heuristics 8

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://159.89.238.15/new.bat
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
e9b124fb6f2cdcd973de0262939c17099db2ecdf7c9ebf6cac47d25d60808517		 ole-package OLE Ole10Native stream: ObjectPool/_1676031482/Ole10Native 1286 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.