Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 945f07585172e980…

MALICIOUS

Office (OOXML)

29.1 KB Created: 2021-07-28 00:25:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: d9af4763acc1074bb90f412eb64bc764 SHA-1: 3adbacb137fe6e69ca8a050df24e951dae53a2eb SHA-256: 945f07585172e980bbc413ab1d42c576300233c614d955925c6196ade94c2a65
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1129 Execution through API

The OOXML document contains an embedded OLE object with indicators for an executable payload, strongly suggesting an attempt to exploit CVE-2026-21514. This embedded object is designed to drop and execute a secondary payload, likely an executable file, upon opening. The presence of the Ole10Native package with executable extensions points to a direct execution attempt.

Heuristics 4

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.digicert.com0O
    • http://ocsp.digicert.com0C
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://www.digicert.com/CPS0
    • http://crl3.digicert.com/sha2-assured-ts.crl02�0�.�,http://crl4.digicert.com/sha2-assured-ts.crl0��
    • http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0��
    • http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:�8�6�4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    • https://www.digicert.com/CPS0

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5651167ac629cc3eaa7d28626e0cf574d5a76a078428e729e2c26eb2b0b43758		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 31744 bytes
ooxml_oleobject_00_ole10native_00.bin
8217d05eefe9c072c778864f9c5a2431295dc6d19bac3a993ad3ba0ece19fa52		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 28773 bytes
emf_00.emf
b72d03d150a009689a4059f799c03187c40c42b8f13f3cead746af1797fb45ec		 ooxml-emf OOXML EMF part: word/media/image1.emf 5476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.