Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b40b7c145e94f134…

MALICIOUS

Office (OLE)

1003.0 KB Created: 2010-05-22 16:35:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: 6c152213fed35d81329eed59930b630b SHA-1: 27691f9583db058152200dc337175528ac9c9de0 SHA-256: b40b7c145e94f13480a86c625dc5fbe4f4b61fe7b66ca167f4f47a4610da7458
422 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This Office document contains an embedded executable payload and a lure impersonating UPS, directing users to a suspicious URL. The presence of CreateProcess, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress API calls suggests the embedded executable is likely a loader or dropper for further malicious activity. The document's content and the embedded executable indicate a multi-stage attack designed for credential phishing and payload delivery.

Heuristics 12

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://support.neptunetg.com/neptune.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://support.neptunetg.com/neptune In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?DefectId=1476In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1420In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1382In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1442In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1445In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1467In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1472In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1432In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1444In document text (OLE body)
    • http://dm.dbmicro.com/?Id=1473In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1465In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1466In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?DefectId=1477In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1469In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1470In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1471In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1527&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1644&total=47In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1603In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?DefectId=1581In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1501&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1614In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1616In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1544&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1479&total=23In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1494&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1536&s=http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1436&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1630In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1497&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1504&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1491&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1492&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1522&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1537&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1539&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1577&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?DefectId=1592In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1600In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1650In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1569&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1575&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1580In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1615In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1502&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1658In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?s=General&defectId=1655In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1530&s=In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1590In document text (OLE body)
    • http://dm.dbmicro.com/popups/defectDetails/defectDetails.aspx?defectId=1542&s=In document text (OLE body)
    +104 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0009745c.exe embedded-pe Office MZ+PE at offset 0x9745C 407460 bytes
SHA-256: 46946b0419cbc49df5627b16c13bb39111bbea90f7fa6ffb5caece1f1ce9af4d
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1299474456/Ole10Native 262238 bytes
SHA-256: 77d479b6c865beacf78e571e9d033d1dc2ee601d120fa01af3ad998330d2e678