Office (OLE) malware analysis — malicious · 9d4622542bdd2684

MALICIOUS

Office (OLE)

709.7 KB Created: 2011-01-10 06:39:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 89f49bfe80ea0b95e1bfe6bc58567fbd SHA-1: f1c9cd4ef6d7d6449dd63790f523519d4042dfb8 SHA-256: 9d4622542bdd2684871f58d9609c1bbb9badf02f754bc27c47fbc3fe0298bbd5

384 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a Microsoft Word document containing an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. It also fires critical alerts for CVE-2007-3899 and Ole10Native exploitation, indicating it leverages known vulnerabilities for execution. The presence of ShellExecute, LoadLibrary, and GetProcAddress API references suggests the embedded executable is designed to load and run additional code. The document body indicates it's an embedded package, and the SE_PASSWORD_ARCHIVE_LURE heuristic suggests it may be password-protected to evade initial scanning.

Heuristics 10

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd In document text (OLE body)
- http://www.w3.org/1999/xhtmlIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_000046a6.exe`	embedded-pe	Office MZ+PE at offset 0x46A6	708648 bytes
SHA-256: `49b15d1fcf6c9530cd4d16469d8c21d077a7e0cfbe1823741e35ced064c67454`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.86, consistent with packed or encrypted content.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1356248006/Ole10Native	704225 bytes
SHA-256: `a858eb0daa2bbe4c6c7a2a5f3be3426611e064e769cbee27a529fd2b9fcfb574`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.86, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.