Office (OLE) / .DOC malware analysis — malicious · b23fe57b0ce32446

MALICIOUS

Office (OLE) / .DOC

108.5 KB Created: 2010-02-23 18:28:00 Authoring application: Microsoft Office Word

MD5: 08c54e0d1fba5e00a5421eaa9da0784a SHA-1: 5da14d227c32dd7b19b82c7adba7d3ca3cbf4ef0 SHA-256: b23fe57b0ce32446aba776a42aa162871d9c60eeb74f5db078286bca84e7d149

160 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is a Microsoft Word document containing an embedded Portable Executable (PE) file, indicated by the OLE_EMBEDDED_EXE heuristic. The presence of Ole10Native data also suggests potential exploitation of CVE-2026-21514. The document body, a truncated commercial contract, serves as a lure to encourage the user to interact with or extract the embedded executable, which is the primary malicious payload.

Heuristics 4

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00010804.exe` `f9d2d788b7b2311c2ef49b854674a345332d53a62b996a582534a901490b465d`	embedded-pe	Office MZ+PE at offset 0x10804	43516 bytes
`ole10native_00.bin` `f9f0b1e17a6226882f1fbf761021a5a2d3fd5417293adf272317b056e61fcff4`	ole-package	OLE Ole10Native stream: ObjectPool/_1328416609/Ole10Native	41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.