Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8f3da70bd02908fd…

MALICIOUS

Office (OLE)

277.5 KB Created: 2000-10-14 19:04:00 Authoring application: Microsoft Word 9.0 First seen: 2017-09-14
MD5: ca901114150ca3d898e8c0a06b5f14aa SHA-1: 18d3194bc2c8247fe1e11618e25da588e1b30a99 SHA-256: 8f3da70bd02908fd1b6120106e8ee65c3ce67637c367254d82f054e469e01bb7
362 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an OLE document containing an embedded executable payload. The document body attempts to trick the user into double-clicking the embedded object by promising a secret from Spanish intelligence. The embedded package is a script designed to download and execute a secondary payload from the provided URLs, indicating a downloader or droppper functionality.

Heuristics 9

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.rjlsoftware.com/redir/clickme.htm Embedded OLE package script
    • http://www.rjlsoftware.comEmbedded OLE package script

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003668.exe embedded-pe Office MZ+PE at offset 0x3668 270232 bytes
SHA-256: 84ee89d1a6931aebc0c8e9adbb84d17ed5c2cbd7dd7e20c23de52dcfdd13104b
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1033038928/Ole10Native 265900 bytes
SHA-256: a7cdd6f9014fa7809c989f91654db9538b6793c2221962de34b462be2cd11669

Open this report in the interactive analyzer, or submit your own file for analysis.