Office (OOXML) malware analysis — malicious · 8fe94d9909fa4a01

MALICIOUS

Office (OOXML)

487.4 KB Created: 2017-06-08 14:56:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-04-18

MD5: 67c9bfd4d6ac397fb0cd7da2441a6fe2 SHA-1: 47c471c0417e9b7e3d92717e627b64df390c0ad7 SHA-256: 8fe94d9909fa4a018fc8fe55aca55856005917ee6ca3d4fda114d92ec453e77c

222 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as malicious due to the presence of an embedded OLE object with indicators for exploitation, specifically referencing CVE-2026-21514. ClamAV detections further confirm its malicious nature, flagging it as a phishing-related dropper. The embedded OLE object, packaged as a .lnk file, strongly suggests an attempt to execute a secondary payload.

Heuristics 5

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
ClamAV: Win.Phishing.Suspicious-6355520-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Phishing.Suspicious-6355520-3
Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	5632 bytes
SHA-256: `59a3bc8cbe44d9468f3070bc058126179d8d780bd9fc30854c358283b857f9a6`
Detection ClamAV: Doc.Dropper.Agent-6493319-0 Obfuscation or payload: unlikely
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	3219 bytes
SHA-256: `92b03d58e4d6aeb39e379a123a98be7c5d57d103d949cbbad552426d8d8b49af`
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image2.emf	5440 bytes
SHA-256: `133119d8bc3a7b99b9d49a8ad1d8c3709719b804289934b006d953209cf72e05`

Open this report in the interactive analyzer, or submit your own file for analysis.