Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9f6c285eb764a75f…

MALICIOUS

Office (OLE)

111.5 KB Created: 2017-10-15 07:40:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 9fde4eb7078adb7d52b5f0983e504c9d SHA-1: 1947f6b9798c70adccbfbd086ca1f073bb41f2b9 SHA-256: 9f6c285eb764a75f3110d0487a71de5ba36d8e2f654200faf136e7385cf1074f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE file containing an Ole10Native object, which is a known vector for dropping executable payloads. Heuristics indicate this object is likely to drop a VBScript, suggesting an exploitation attempt for client execution. The embedded VBScript is the primary indicator of malicious activity.

Heuristics 2

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1569544072/Ole10Native 70778 bytes
SHA-256: fc173d772b1e75395ea89c5c947db8baf473aa3973636cc9d6b0b3e98c8459ba

Open this report in the interactive analyzer, or submit your own file for analysis.