Office (OOXML) malware analysis — malicious · ce1d37a7a181dc2e

MALICIOUS

Office (OOXML)

103.4 KB Created: 2019-05-22 19:33:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: 39fd3567201a831f0b5f408552c8199b SHA-1: a6d5fbdd3e00423d88d12d91e75f76fa3e495740 SHA-256: ce1d37a7a181dc2e69bfb614a1baf6136b72644d7d55814cc991038b9d84d593

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing an embedded OLE object with indicators of a remote link or executable payload. This strongly suggests exploitation of a vulnerability like CVE-2026-21514 to execute arbitrary code. The embedded OLE package is designed to drop an auto-executable file, likely a DLL or EXE, which would then proceed to download and execute further malicious content.

Heuristics 4

OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514

Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.copel.br
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `d9d776e8c348ac427713e9990db7a334f74bc39ce9ff4e293e356524491ab928`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	45056 bytes
`ooxml_oleobject_00_ole10native_00.bin` `ca263c37f3295502685c48146c42c06bdced80c179431f93a43153efc6e51c63`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.