Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cbf3e759defb8ae7…

MALICIOUS

Office (OLE)

725.5 KB Created: 2008-12-19 05:56:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 476066b3dc4d6507b3e047fd3d25dfc7 SHA-1: dac8e16a5fb5ddc87b6e13c298e3a2db63bdb44b SHA-256: cbf3e759defb8ae797ab3e27c078267648c03a0bcde26098b1215494008b6db8
482 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing an embedded executable and a Flash object, exploiting CVE-2007-3899 and potentially CVE-2026-21514. The document body instructs the user to click on an embedded package, which is identified as a risky file type that drops an auto-executable payload. The presence of CreateProcess, LoadLibrary, and GetProcAddress API calls suggests the embedded executable is likely a loader or dropper for further malicious activity.

Heuristics 11

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT
    Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (5). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://friendship.icq.com In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000466a.exe embedded-pe Office MZ+PE at offset 0x466A 724886 bytes
SHA-256: e3e0d2d10da298400929643e7ceddce2e862b97eb9af2ba1c2adab2399dc3feb
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1291117233/Ole10Native 720423 bytes
SHA-256: 99e23bfc7efc51e4adbbab03c34ebc9abb289d339de87b69009760552a0c5ebd