Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ba6cc16770dc67c1…

MALICIOUS

Office (OLE) / .DOC

23.0 KB Created: 2020-12-10 17:32:00 Authoring application: Microsoft Office Word
MD5: e7f658ee69fb3bb6f5bd9ae81d2400cd SHA-1: d69af1bcb3f6dc41b200e9d808b708f6a9aff1b7 SHA-256: ba6cc16770dc67c1af1a3e103c3fd19a854193e7cd1fecbb11ca11c2c47cdf04
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is a malicious OLE document that uses an 'enable content' lure to trick the user into running embedded objects. Heuristics indicate suspicious invocation of cmd.exe and PowerShell, and exploitation of CVE-2026-21514. The embedded URL http://23.98.155.192/sc.bat is likely used to download and execute a second-stage payload.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://23.98.155.192/sc.bat
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
151eff4733bb9f590eb1ea45d1be269977b0cd158ab861a96b23ea9fa6e40e12		 ole-package OLE Ole10Native stream: ObjectPool/_1670067230/Ole10Native 1329 bytes
ole10native_01.bin
e71cf13c5cff267c6ea2f9a4cd46ef3789fcd3895b028350982cfe662bfd3e6d		 ole-package OLE Ole10Native stream: ObjectPool/_1670067231/Ole10Native 1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.