Office (OOXML) malware analysis — malicious · c1923226d58186c7

MALICIOUS

Office (OOXML)

643.8 KB Created: 2020-06-30 06:26:00 UTC Authoring application: Microsoft Office Word 12.0000

MD5: 2c171622a19a378ea51d08748c70eb59 SHA-1: 285a0dab9a7ca13a8390682f7f36b99b86405fc2 SHA-256: c1923226d58186c7e0735e058be80022a57e7e819e1e41b4c6e03065252be11f

182 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample contains an embedded OLE object that is identified as a likely exploit for CVE-2026-21514. This object's payload is a VBScript designed to download and execute a second-stage payload from the URL http://rightapps.net/web/images/adobe.pdf. The embedded VBScript is the primary mechanism for payload delivery and execution.

Heuristics 5

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER

The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://rightapps.net/web/images/adobe.pdf
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `62d893a1b884719c000b2d6148381aaef76bc60ddc0e336520c201d12d57a6ca`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	3584 bytes
`ooxml_oleobject_00_ole10native_00.bin` `8468065a542708850e4d0d03c3fd162bd9d34f955ee93252af0ba6f49bdf87b3`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	1326 bytes
`emf_00.emf` `bc6a93ce931b17080fdd9fe790d3385d9184e270d4ac540f3f4744191f5e959b`	ooxml-emf	OOXML EMF part: word/media/image1.emf	5460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.