Office (OLE) / .DOC malware analysis — malicious · a9b854077ea485ae

MALICIOUS

Office (OLE) / .DOC

114.5 KB Created: 1999-07-10 15:21:00 Authoring application: Microsoft Word 8.0

MD5: 60ed859c0add6391582ac95d941c42d1 SHA-1: 1b8f6164eab7328fd898f0ea01371384fb5cc3f0 SHA-256: a9b854077ea485ae799e71bc4623c93b8b473acdda0b33869baf13309f87b03d

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a Microsoft Word document containing an embedded Portable Executable (PE) file. Heuristics indicate the presence of WinExec and VirtualAlloc APIs, commonly used by malware, and specifically flag an embedded PE executable and potential exploitation of CVE-2026-21514 via Ole10Native. The embedded executable is the primary indicator of malicious intent, suggesting the document is a lure to execute a secondary payload.

Heuristics 4

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000ba2a.exe` `b4fa6eafd8e567b7be5db200fa75b30d3f63ffdd5b89c8a96e98bc62797cd918`	embedded-pe	Office MZ+PE at offset 0xBA2A	69590 bytes
`ole10native_00.bin` `921520cfc0129ec6746e99fbec92e22b96f64a204162c65ba30e63555144ddcf`	ole-package	OLE Ole10Native stream: ObjectPool/_978932642/Ole10Native	41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.