Win.Downloader.Rakhni-9865640-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 a0e5db169114229d…

MALICIOUS

Office (OOXML)

1018.2 KB Created: 2016-02-17 12:46:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 1150c9d3e2d452aa99a234010fd0d9e5 SHA-1: 4a8cea2ff836baa166a2b6d439d9c1c4b19cec07 SHA-256: a0e5db169114229d40455f976250d678652d5f2e94c7dd4a14ac8449ee9fe184
244 Risk Score

Malware Insights

Win.Downloader.Rakhni-9865640-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1129 Shared Content

The file is identified as malicious by ClamAV as Win.Downloader.Rakhni-9865640-0. Critical heuristics indicate the presence of an embedded OLE object containing an executable payload, likely exploiting CVE-2026-21514. The embedded OLE object and its Ole10Native package are the primary indicators of malicious intent, suggesting the document is designed to deliver a secondary executable.

Heuristics 7

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Win.Downloader.Rakhni-9865640-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.Rakhni-9865640-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • https://www.globalsign.com/repository/03
    • http://crl.globalsign.net/root.crl0
    • https://www.globalsign.com/repository/0
    • http://crl.globalsign.com/gs/gstimestampingg2.crl0T
    • http://secure.globalsign.com/cacert/gstimestampingg2.crt0

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
401ab96eb0b124a542018a73d20a76f9ec5f7fa0a8b4b17d8ab87243b4ff909e		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1168384 bytes
Detection
ClamAV: Win.Downloader.Rakhni-9865640-0
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
c624b0929ac13474edbb731cd777b31eeb7fc72110b8750b6eec972de55669e0		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1156801 bytes
Detection
ClamAV: Win.Downloader.Rakhni-9865640-0
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
emf_00.emf
c51a6d90a73663f1db27e260da9f49acdc0d796a5d436f9d388d3277d6e4343c		 ooxml-emf OOXML EMF part: word/media/image1.emf 1674964 bytes
emf_01.emf
be60a8344d1dc04dd56242d95971176d085d4b7b75ee210c6756c5891ce90bfc		 ooxml-emf OOXML EMF part: word/media/image2.emf 2608 bytes
emf_02.emf
f7840cb5a69fe4dce001daec74531568854ae89d0dfac2e92eef613cd4bfac51		 ooxml-emf OOXML EMF part: word/media/image3.emf 5304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.