Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a03fbed8295005a3…

MALICIOUS

Office (OLE)

113.0 KB Created: 2007-09-25 12:45:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: b077572a28b8d68dc13644dca917079c SHA-1: 3423c4508fbc719d8db6c99dfc1e3c44fa0247f9 SHA-256: a03fbed8295005a38ba13c9764ab30a7a3909ac0d93bd1535ceaea7489434adc
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OLE document that contains an embedded PE executable and an Ole10Native package, indicating it is designed to drop and potentially execute a payload. Heuristics for WinExec and VirtualAlloc APIs suggest the execution of malicious code. The embedded executable and package are the primary indicators of malicious intent, likely delivered via spearphishing.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.fao.org/docrep/003/V1490P/V1490P00.htm In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000e82e.exe embedded-pe Office MZ+PE at offset 0xE82E 56274 bytes
SHA-256: 239ccae5a50a7c43ca18d58a2f8369044833262492292d2ca77cd2cf8df8f857
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_979485558/Ole10Native 41580 bytes
SHA-256: ce7d305f6faad5a19b03654aa6f1792e995da2eae7bfe2bdf54b19a1c573be2e