Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 be7c827309933c0c…

MALICIOUS

Office (OLE) / .DOC

952.5 KB Created: 2010-03-09 15:51:00 Authoring application: Microsoft Office Word
MD5: 268fd9b255794b89768229003382b99d SHA-1: 5a7f94f24f84437384351ea5829af94615f00876 SHA-256: be7c827309933c0c52ea569f4d13eb436f48cb99bfe328753e01ae8e6ae4c452
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The document contains a lure related to a magic trick, instructing the user to click on an embedded image to reveal their chosen card. This embedded image is actually a PE executable. The heuristics indicate the presence of an embedded PE executable and a password-protected archive lure, suggesting the document is designed to trick users into executing a malicious payload. The embedded executable is the primary IOC.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00018a90.exe
61d8bced6aa56412089004134969c9faa8acfe31128c8bf3e5e194cd17cca812		 embedded-pe Office MZ+PE at offset 0x18A90 874352 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ole10native_00.bin
8b05cd9f722c724ff7d71a4d5494703391ce64d5b0ace179b8986c2a1a504f9f		 ole-package OLE Ole10Native stream: ObjectPool/_1329644276/Ole10Native 911389 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.85, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.