Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 96ba3532a72c4d70…

MALICIOUS

Office (OLE)

146.0 KB Created: 2016-04-20 08:08:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 9b132dec5532a65e56df3e5ab72dac16 SHA-1: ef4bca6e56d6ae9b41b6108b48bb7362d0affd9c SHA-256: 96ba3532a72c4d709ff2a95588eb935ad98a5467410d4f19135886b986b0636f
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing an embedded PE executable. It also contains legacy WordBasic auto-exec markers, indicating an attempt to automatically run code upon opening. The presence of GetProcAddress API calls and Ole10Native further suggests exploitation or malicious scripting, likely to execute the embedded payload.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000604c.exe embedded-pe Office MZ+PE at offset 0x604C 124852 bytes
SHA-256: 2888c1efed5d50345c2247d1108702b1e08b69ec239118fb11c7ce1a2ba1da98
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1522686967/Ole10Native 95430 bytes
SHA-256: 2c16ddf22357aaab22373195463b9e0b8f66a7177c60c06c2321b0b8b0f6670a