Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 a0bf6f09f394949c…

MALICIOUS

Office (OLE) / .DOCX

621.0 KB Created: 2020-02-28 03:49:00 Authoring application: Microsoft Office Word First seen: 2022-05-25
MD5: a3ac96a5b997a546855538e67072fcf1 SHA-1: 03bfd25a4a775563228a85dd861dd621b61f8fe7 SHA-256: a0bf6f09f394949c603b878ab42b001155d347e5812b59f09a2ab9d387d548f6
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The document contains VBA macros, specifically an AutoOpen macro, which is designed to execute when the document is opened. This macro triggers an OLE Format action on an embedded object, which is identified as an executable file. This indicates a delivery mechanism for a malicious executable, likely exploiting OLE package handling vulnerabilities. The embedded executable 'embedded_office_00010503.exe' is the primary IOC.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
097c54ab9fcd7746ec8bda24edbb0a5d79ba6d7f69f2169b4ee3b6a55f276b5a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 649 bytes
embedded_office_00010503.exe
15409ec8a04de1209e4d16e1f9a812087410b7410dcf9471ef03b06b31a51d12		 embedded-pe Office MZ+PE at offset 0x10503 569085 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.
ole10native_00.bin
30b7fee9c02ee2eb61512483567b325dc201517e2cd525fcd0d3e37f26a52a15		 ole-package OLE Ole10Native stream: ObjectPool/_1715024664/Ole10Native 547563 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.80, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.