Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bb68a2cd874a0e49…

MALICIOUS

Office (OLE)

475.5 KB Created: 2002-10-23 14:17:00 Authoring application: Microsoft Word 10.0 First seen: 2019-04-18
MD5: a0b3fe4bf486dccba14081cf4321bfe6 SHA-1: c48d521daa7b17a2eebd2a0e48fc166d9d545a0f SHA-256: bb68a2cd874a0e49a839dc3eb36b3392d7a84f3156edbfebf96bb423de42a13a
420 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1203 Exploitation for Client Execution

The file is a malicious Office document containing an embedded PE executable and a Flash object. Heuristics indicate the use of Windows API functions like WinExec and CreateProcess, commonly used for executing payloads. The presence of Ole10Native packaging further suggests the file is designed to drop and execute an auto-executable payload, likely a secondary stage.

Heuristics 9

  • Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT
    Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (5). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000505c.exe embedded-pe Office MZ+PE at offset 0x505C 466340 bytes
SHA-256: 5a3d7cd42db1230ef22441a09941318a0a79d48515a2a03ca3f896c360f6038d
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1120986498/Ole10Native 461489 bytes
SHA-256: de69c833ca8b6bb6fee671cd00b76b5fd0c99bc5a8a658ee23cdfc0ddb7245cd

Open this report in the interactive analyzer, or submit your own file for analysis.