Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a539133276f01a73…

MALICIOUS

Office (OLE)

312.5 KB Created: 2018-03-13 14:34:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 298f37b2bfef16e348627f53b3aad962 SHA-1: b589067d49bc0f8f7f27688db23e7de12ea3a472 SHA-256: a539133276f01a73a12be443a9cdf634b5e70b9ea79be985eb9d536a17990f76
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE document containing an embedded Ole10Native object, which is flagged as a risky file type that drops an auto-executable payload. Heuristics also indicate references to WinExec and VirtualAlloc APIs, suggesting the execution of external code. The presence of an embedded executable payload points to an attempt at initial execution of malware.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1393739660/Ole10Native 41580 bytes
SHA-256: ba9f027c5f42d4078d6cbce78f10abb29fb360b2e0a2e1ec822e2c468ad3e631

Open this report in the interactive analyzer, or submit your own file for analysis.