Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 9b6f0075d1832591…

MALICIOUS

Office (OLE) / .DOC

101.0 KB Created: 2010-02-23 18:28:00
MD5: a16f5583f8211c806c6fef2021803f9e SHA-1: 58b52941afc8ba7f3d51c1d035fc4c4b924e6ec6 SHA-256: 9b6f0075d1832591c2eede4a13c0d18d60233eb482ed6cbadde54f185c45d0cd
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document containing an embedded PE executable. The document body presents itself as a commercial contract to deceive the user. The presence of an embedded executable and references to WinExec and VirtualAlloc APIs suggest the document is designed to drop and execute a secondary payload. The 'OLE_EMBEDDED_EXE' heuristic directly confirms the presence of a PE executable within the OLE structure.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00012404.exe
df0a210a8156f4240f80956c63dcf74f937732303dce83c7a0d4aeaff98803b6		 embedded-pe Office MZ+PE at offset 0x12404 28668 bytes
ole10native_00.bin
f9f0b1e17a6226882f1fbf761021a5a2d3fd5417293adf272317b056e61fcff4		 ole-package OLE Ole10Native stream: ObjectPool/_-1343406844/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.