Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b261c55ce6f3b41e…

MALICIOUS

Office (OLE)

407.5 KB Created: 2005-09-01 11:24:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: b3f901b697edc853185461951e35f764 SHA-1: 768c69afb8e40332c4d94aa14c633199e37f88e3 SHA-256: b261c55ce6f3b41ed71d04bad31aab9abd25311ce5123159cb754c3af8da2df9
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1203 Exploitation for Client Execution

The file is a malicious Office document containing an embedded executable (MZ header detected) and instructions in Turkish related to SWIFT installation. The embedded executable and the URL suggest the document is used to deliver malware, likely for financial fraud. The heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, common in malware execution, and specifically flag an embedded PE executable and an Ole10Native package designed to drop an auto-executable payload.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.5iantlavalamp.com/ In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002e697.exe embedded-pe Office MZ+PE at offset 0x2E697 227177 bytes
SHA-256: 2cea52cf226bc7514c23418a6e0880f874be3bf4fe7d8a2aa1c0644843dfd32f
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1005229266/Ole10Native 2884 bytes
SHA-256: 6f43f04b0781aaa246f7aa3f5f80cbdc9e1941a552894d9a24044788c17ff3c5
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1005230467/Ole10Native 195145 bytes
SHA-256: 860cfe6d0890a55ba822caad0b66d132a30f692858bb2b0b741bde317c1a0d9c

Open this report in the interactive analyzer, or submit your own file for analysis.