Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8a796ba1f411d1aa…

MALICIOUS

Office (OLE)

201.5 KB
MD5: 818be8fb6d8c76901f38ae0cd0776081 SHA-1: c387dee6b4813b162eb387d1543e8912c65f7447 SHA-256: 8a796ba1f411d1aa70aad87415658d21efdbb7efe89542f2096797ce3625590e
440 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1027 Obfuscated Files or Information

The file is identified as malicious by ClamAV with the signature Win.Trojan.Ransom-510. Static analysis revealed an embedded PE executable within an OLE object, a common technique for delivering secondary payloads. References to LoadLibrary and GetProcAddress APIs suggest dynamic loading of malicious functions. The presence of an embedded executable and the ClamAV detection strongly indicate a ransomware delivery mechanism.

Heuristics 11

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • ClamAV: Win.Trojan.Ransom-510 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Ransom-510
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Package object class high RTF_OBJCLASS_PACKAGE
    OLE Package object — can wrap arbitrary files
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1800\margr1800\margt1440\margb1440\gutter0\ltrsect

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002639.exe
eaa5947d627e4b307461c427840b5c118abf499f6f61b449c25858de77b1f2b7		 embedded-pe Office MZ+PE at offset 0x2639 196551 bytes
Detection
ClamAV: Win.Trojan.Ransom-510
Obfuscation or payload: unlikely
ole10native_00.bin
48e73642bee3340802abb97b62ce61ff01be4338cd7f1eee044a75b5625097e8		 ole-package OLE Ole10Native stream: ITEM000/ObjectPool/_1342959499/Ole10Native 48187 bytes
Detection
ClamAV: Win.Trojan.Ransom-510
Obfuscation or payload: unlikely
objdata_00_off00016c6f.bin
55e857211545f6fc606662ebc63b662b00a35cef0a54129a54e4039247806ad0		 rtf-objdata-decoded RTF \objdata at offset 0x16C6F 51966 bytes
Detection
ClamAV: Win.Trojan.Ransom-510
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.