Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9032c8ef4eede504…

MALICIOUS

Office (OLE)

474.5 KB Created: 2002-10-23 14:17:00 Authoring application: Microsoft Word 9.0 First seen: 2019-12-09
MD5: 9c3dd44e6011a606a5a0b06b2ea0933a SHA-1: b5b50c26ec8e4ed7500ec753dbf2dc02145b8953 SHA-256: 9032c8ef4eede504f2834c4807c7cb9e9301c394b571a65ed00f70cd70dc36b9
420 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded PE executable and a Flash object, indicating a multi-stage attack. Heuristics suggest the use of WinExec, CreateProcess, LoadLibrary, and GetProcAddress, pointing towards the execution of malicious code. The Ole10Native package is flagged as risky for dropping an auto-executable payload, likely the embedded PE file. The document body uses a narrative about ghosts and a "videographic method" to trick the user into interacting with the embedded content, which likely leads to the execution of the embedded PE file.

Heuristics 9

  • Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT
    Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (5). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004a5c.exe embedded-pe Office MZ+PE at offset 0x4A5C 466852 bytes
SHA-256: 2cbb6de7266ea3533e98dd244d00881601cc9783a58f360f4ad6978774ae3d70
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1091341983/Ole10Native 461489 bytes
SHA-256: de69c833ca8b6bb6fee671cd00b76b5fd0c99bc5a8a658ee23cdfc0ddb7245cd

Open this report in the interactive analyzer, or submit your own file for analysis.