Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 893f899cc18e3a2f…

MALICIOUS

Office (OLE) / .DOC

505.5 KB Created: 2010-06-02 13:35:00 Authoring application: Microsoft Office Word
MD5: 3d3e4aa49b59ee74e743ecc196989cc6 SHA-1: a97682eab9ca3aa7b426a46562282194317f897a SHA-256: 893f899cc18e3a2fe3ece52dcfc3760c36ce0de668406cf88249ee2a12478804
382 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document containing an embedded PE executable. The document body presents a lure for a deposit receipt, instructing the user to click to open an 'EMBED Package', which is likely the embedded executable. Heuristics indicate the presence of ShellExecute, LoadLibrary, and GetProcAddress APIs, common in malware execution. ClamAV detected the file as Win.Trojan.Ag-9, and also flagged the extracted artifact.

Heuristics 10

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Ag-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Ag-9
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/SMI/2005/WindowsSettings
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000fb74.exe
38954d3058ad57984101d5166b5862895a633e687dcc54ed5462ec25415615cd		 embedded-pe Office MZ+PE at offset 0xFB74 453260 bytes
Detection
ClamAV: Win.Trojan.Ag-9
Obfuscation or payload: unlikely
ole10native_00.bin
485eaa4b8316bb2323b113a5433b5dacfa24870c4f3dd871bff7cec7189ffb65		 ole-package OLE Ole10Native stream: ObjectPool/_1335191732/Ole10Native 287578 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
ole10native_01.bin
9d6209d9160ec16b67ef2851fb9f72f4c686b3c5d5cd5e7cea25f65d0a97b316		 ole-package OLE Ole10Native stream: ObjectPool/_1336965927/Ole10Native 183016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.