Office (OLE) malware analysis — malicious · c12490dcb49a67d9

MALICIOUS

Office (OLE)

753.0 KB Created: 2014-12-02 00:31:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 39391e022ce89784eb46fed43c8aa341 SHA-1: e420f2ab69108120e0deb49ab753f9d195449acd SHA-256: c12490dcb49a67d9021bc11bb7ef2595796217c9a646156e670f8d1fcc0ad05a

384 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing an embedded PE executable, identified by the 'OLE_EMBEDDED_EXE' heuristic. The 'OFFICE_PACKAGE_RISKY_FILE' heuristic indicates that the Ole10Native package is designed to drop an executable payload. The presence of API calls like ShellExecute, VirtualAlloc, and VirtualProtect suggests the embedded executable is likely to perform malicious actions upon execution, such as memory allocation and code execution.

Heuristics 11

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00005074.exe`	embedded-pe	Office MZ+PE at offset 0x5074	750476 bytes
SHA-256: `4617f98ff6d51c36bb5ab06b884f0877c76e48f5dc1eaf99a7fd488f277abcc2`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.90, consistent with packed or encrypted content.
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1484375617/Ole10Native	735550 bytes
SHA-256: `c74d371538495743f68b6316da4946c229e6be03422e8e97edca28fa5f559ccf`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.90, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.