Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c646906f39983355…

MALICIOUS

Office (OLE)

496.5 KB Created: 2018-11-29 10:39:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 61fac9e0b04cbc18f38ff32a10c1524a SHA-1: 6b33e738e7b27d930ea7e5ecbe10b4320aaabcc4 SHA-256: c646906f3998335565d7c1d7d939b0151a40ccd0064fdf9dae7e29181f6b066d
442 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is an OLE document containing an embedded executable payload. Heuristics indicate that this payload is a script designed to fetch and execute additional content from URLs. The embedded executable and the script's download-and-execute functionality strongly suggest an attempt to compromise the system by delivering a secondary payload. The URLs provided, while marked as benign, were part of the script's functionality.

Heuristics 12

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    00025A2F  648b3530000000    mov esi, dword ptr fs:[0x30]
00025A36  83c634            add esi, 0x34
00025A39  57                push edi
00025A3A  8b06              mov eax, dword ptr [esi]
00025A3C  85c0              test eax, eax
00025A3E  753d              jne 0x25a7d
00025A40  6a08              push 8
00025A42  50                push eax
00025A43  ff15ac514200      call dword ptr [0x4251ac]
00025A49  50                push eax
00025A4A  ff15b4514200      call dword ptr [0x4251b4]
00025A50  8bf8              mov edi, eax
00025A52  85ff              test edi, edi
00025A54  742f              je 0x25a85
00025A56  57                push edi
00025A57  ff15a4514200      call dword ptr [0x4251a4]
00025A5D  6a00              push 0
00025A5F  57                push edi
00025A60  56                push esi
00025A61  ff15a8514200      call dword ptr [0x4251a8]
00025A67  85c0              test eax, eax
00025A69  7410              je 0x25a7b
00025A6B  57                push edi
00025A6C  6a00              push 0
00025A6E  ff15ac514200      call dword ptr [0x4251ac]
00025A74  50                push eax
00025A75  ff15b0514200      call dword ptr [0x4251b0]
00025A7B  8b06              mov eax, dword ptr [esi]
00025A7D  a330494300        mov dword ptr [0x434930], eax
00025A82  33c0              xor eax, eax
00025A84  40                inc eax
00025A85  5f                pop edi
00025A86  5e                pop esi
00025A87  c3                ret
00025A88  56                push esi
00025A89  8bf1              mov esi, ecx
00025A8B  e8                .byte 0xe8
00025A8C  360000            add byte ptr ss:[eax], al
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://msdn.microsoft.com Embedded OLE package script
    • http://www.codeproject.comEmbedded OLE package script
    • http://www.google.comEmbedded OLE package script

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000154ad.exe embedded-pe Office MZ+PE at offset 0x154AD 421203 bytes
SHA-256: 0966e7d227d449547a2890206961a1ddb9a53544b5ba1d90d37ed0a4d89e6d9c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, VirtualAlloc, OpenProcess, LoadLibraryA, LoadLibraryExA, advapi32.dll
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1605021816/Ole10Native 416745 bytes
SHA-256: 5861e8770d4a445e68ffe115e30e1fbd0b1e4d602342a821083f21602e4622a5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_GETPROCADDRESS, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: GetProcAddress, VirtualAlloc, OpenProcess, LoadLibraryA, LoadLibraryExA, advapi32.dll

Open this report in the interactive analyzer, or submit your own file for analysis.