Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8753e4cdd6aba1e2…

MALICIOUS

Office (OLE)

218.5 KB Created: 2007-09-01 11:19:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 5c64494770a9cfe833e10730f9b823e5 SHA-1: 5311be81d135d8d88f974407bf77c1127d8f9992 SHA-256: 8753e4cdd6aba1e2417ba4a864213385eea38c1553e5daeceedefd5db3d9423a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious OLE file that leverages CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to execute arbitrary code. It also contains an Ole10Native package which is likely used to drop an executable payload. The presence of XLM macro sheet further suggests potential for script execution.

Heuristics 7

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_984665120/Ole10Native 41580 bytes
SHA-256: 7148e8900e3070c3cd5af94f5136b9e87a268bf6a2ca11e13012b43f46948ddf

Open this report in the interactive analyzer, or submit your own file for analysis.