Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 9fbacfbfe1f07525…

MALICIOUS

Office (OLE) / .DOC

106.5 KB Created: 2010-02-23 11:51:00 Authoring application: Microsoft Office Word
MD5: 6347fcbbd6b31b06978b6432350fa8c3 SHA-1: 69e65877056c0a1b3a2450d9c131e2cb3b31e105 SHA-256: 9fbacfbfe1f07525a2a7f3eed4e5275e31c5c5c3004fff84178bbb51c67335f8
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Side-Loading

The sample is a Microsoft Word document (OLE) that contains an embedded PE executable. Heuristics indicate the presence of Ole10Native, which is often exploited to deliver malicious payloads, and references to WinExec and VirtualAlloc APIs suggest the execution of code. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader or initial payload.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00010604.exe
9e26194d26dce6015aca3507e516380c426f1b14dba621b727bea19ef1ad68a4		 embedded-pe Office MZ+PE at offset 0x10604 41980 bytes
ole10native_00.bin
f9f0b1e17a6226882f1fbf761021a5a2d3fd5417293adf272317b056e61fcff4		 ole-package OLE Ole10Native stream: ObjectPool/_1328416609/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.