Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 86daa9a71e5c7e85…

MALICIOUS

Office (OLE) / .DOCX

273.0 KB Created: 2021-09-30 10:42:00 Authoring application: Microsoft Office Word First seen: 2026-05-13
MD5: 1331d4add0524da8950ef97790fbfa95 SHA-1: a2b62de9dd41b062efdb3e2e49dba5dcc8b7e2d7 SHA-256: 86daa9a71e5c7e856308da4031ade3d154831c5c90f561f4150780464e61f9a4
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1137.001 Office Application Build

The sample is a Microsoft Office document containing an embedded OLE package. This package is flagged as risky because it drops an executable payload, identified as a JAR file named PncRitaZJ5a2FWBVEJoaWPliZ4A6JMe57H.JAR. The presence of this embedded, executable artifact strongly suggests the document is designed to deliver malware. The document body is minimal, providing no further context on the lure.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1694514582/Ole10Native 241255 bytes
SHA-256: c09a0b2e7ac49143c47e2c40f4482f8b005350215fd2972d9c61d3fc127d8c7f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ole10native_00_PncRitaZJ5a2FWBVEJoaWPliZ4A6JMe57H.JAR ole-package-payload OLE Ole10Native payload: ObjectPool/_1694514582/Ole10Native; display_name=PncRitaZJ5a2FWBVEJoaWPliZ4A6JMe57H.JAR; full_path=C:\Users\MICROS~1\AppData\Local\Temp\{7509322A-E63A-4669-8A67-1253E665C46D}\PncRitaZJ5a2FWBVEJoaWPliZ4A6JMe57H.JAR; temp_path=; def_file= 240430 bytes
SHA-256: 47701eab020ea7b3bb90cbf7d0f96c23ab10351f958fbf24ae60483248b1f000