Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a0f869c702bb53c1…

MALICIOUS

Office (OLE)

216.0 KB Created: 2017-10-18 00:13:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 52960f1a63a18cab2e92f40f2750691c SHA-1: 2c025087626057f20c1e3e530d8cc2b87d67a943 SHA-256: a0f869c702bb53c12be3d2776612e3afcc5e344f61229cdbd1328b9b2dd1ac2c
500 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information T1027 Obfuscated Files or Information T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that leverages CVE-2007-3899 for memory corruption to drop an embedded PE executable. The document body falsely claims a need for conversion, likely to bypass user suspicion and encourage interaction with the embedded OLE package, which is designed to drop an executable. The presence of ShellExecute, LoadLibrary, and GetProcAddress APIs further indicates malicious execution capabilities.

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Exploit.Bypassuac-9883294-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.Bypassuac-9883294-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000034a9.exe embedded-pe Office MZ+PE at offset 0x34A9 207703 bytes
SHA-256: b0948c50ca3237660dc49775b37683350cce1b979cb95ccbac11877365911e81
Detection
ClamAV: Win.Exploit.Bypassuac-9883294-0
Obfuscation or payload: unlikely
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1569793323/Ole10Native 203459 bytes
SHA-256: 73e08a4f072bff87098ed4aff225b3aacadc2b97a788618badaa4045796e9027

Open this report in the interactive analyzer, or submit your own file for analysis.