Office (OLE) malware analysis — malicious · ca5000f8520a75b8

MALICIOUS

Office (OLE)

92.0 KB Created: 2010-01-14 02:56:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: 28bd7b1e9d751a11b53a53d2c9d44319 SHA-1: 32315b410db0a03a9d6e4d5d6b066a48fbddb7db SHA-256: ca5000f8520a75b80e085d1c9f5098cbca912178efeca2aa5597348869633865

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE document that contains an embedded Ole10Native package. Heuristics indicate this package is likely an executable payload, suggesting exploitation of a vulnerability like CVE-2026-21514 for client execution. The document itself appears to be a legitimate corporate meeting minutes excerpt, likely used as a lure for a spearphishing attachment.

Heuristics 4

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_981269018/Ole10Native	41580 bytes
SHA-256: `b5b2b9cf8f324ff6cd06599c50a34fb8a38e78b27d95bb7f044d7361fdf7bde5`

Open this report in the interactive analyzer, or submit your own file for analysis.