Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 92d1b296bb061c7d…

MALICIOUS

Office (OLE)

311.5 KB Created: 2017-07-11 22:06:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 53730690ccea77fd47a04e21d324665f SHA-1: 641c2c241e2df90a4afe7a7430b75f7d098bb22d SHA-256: 92d1b296bb061c7d057a0314e3ecff0e06c4bd68fb1f562c375af2db42733180
382 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2007-3899 to drop an embedded PE executable. The document body suggests a compatibility pack lure to encourage user interaction with the embedded object. The presence of ShellExecute and LoadLibrary API calls, along with an embedded PE executable, indicates the file's intent to execute a malicious payload. The document also contains a password-protected archive lure, commonly used to bypass security controls.

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000036b5.exe embedded-pe Office MZ+PE at offset 0x36B5 304971 bytes
SHA-256: 20470591859f2969617466b96500fb118dd79c87e4767c4d0b7e5cea7f0b8f26
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.62, consistent with packed or encrypted content.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1561319528/Ole10Native 300739 bytes
SHA-256: 18e1516ffbb36699a659a7c033e8dd4cab49c85aba8abce288d6466c418c136c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.67, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.