Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 c3379e83cd3e8763…

MALICIOUS

Office (OLE) / .DOCX

74.0 KB Created: 2020-03-04 17:56:00 Authoring application: Microsoft Office Word
MD5: 1eb8dd501af0415fd22f93590a561d5d SHA-1: 78eefb796a7d9f8261d47bf0882849ea7777ab00 SHA-256: c3379e83cd3e8763f80010176905f147fcc126b5e7ad9faa585d5520386bd659
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.002 Component Object Model Hijacking

The file is detected as malicious by ClamAV as 'Doc.Dropper.Agent-7630856-0'. High severity heuristics indicate the presence of an OLE object ('Ole10Native') which is a known vector for exploitation, potentially related to CVE-2026-21514. The embedded OLE packages ('ole10native_00.bin' and 'ole10native_01.bin') are flagged as containing executable or script file types, specifically '.bat' files, suggesting they are used to drop and execute a secondary payload.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Dropper.Agent-7630856-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7630856-0
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
8f55ac9a7338d908e087210d870d5f24a55454565c1ee3f2a0ee33b90102ff6a		 ole-package OLE Ole10Native stream: ObjectPool/_1645425484/Ole10Native 26260 bytes
ole10native_01.bin
4c19c238793fbb7a732ee175165a4da5529947d0ab7dd553eff35e355fd450fd		 ole-package OLE Ole10Native stream: ObjectPool/_1645425485/Ole10Native 26359 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.