Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c489f4035652c27d…

MALICIOUS

Office (OLE)

108.0 KB Created: 2008-02-08 15:56:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: a81dcfd0a42c2c6926f2c2d9a2e1b441 SHA-1: 1dbb5ffec3130fd996bd51852da3d2440afff969 SHA-256: c489f4035652c27de55ce44f910fc04623a93e3846a4209e99c6ec48bd0d7de3
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is an Office document containing an embedded executable file (MZ header detected). Heuristics indicate this is a risky file type that drops an auto-executable payload. The document body itself is a syllabus for a biochemical engineering course, which is likely a lure to disguise the malicious embedded content. The embedded executable is the primary indicator of malicious intent, suggesting the document is a delivery mechanism for a secondary payload.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00008a2e.exe embedded-pe Office MZ+PE at offset 0x8A2E 75218 bytes
SHA-256: cde2f989aceb97470b5a93d6c606963a24b46a236ac0a20dbc3b4b1b4c7df535
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_979485558/Ole10Native 41580 bytes
SHA-256: ce7d305f6faad5a19b03654aa6f1792e995da2eae7bfe2bdf54b19a1c573be2e

Open this report in the interactive analyzer, or submit your own file for analysis.