Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cf5275fb802d50c2…

MALICIOUS

Office (OLE)

622.0 KB Created: 2009-08-02 19:51:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: c1adb384a2b9d26f85ed8d2d7b7da4fa SHA-1: bd802c942e59d98a042846473e90466606f105b9 SHA-256: cf5275fb802d50c285153d3528865ce08342b18d4162bbca142950d0f255c57e
260 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The file is an Office document containing an embedded executable file (MZ header at offset 0x39E71) and an Ole10Native package that drops an auto-executable payload. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting dynamic loading of malicious code. The embedded executable and the Ole10Native package are the primary indicators of malicious intent.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00039e71.exe embedded-pe Office MZ+PE at offset 0x39E71 399759 bytes
SHA-256: ea54617585087745a9d9fc04f6d784280a11d198f3c74d9b99669a25b3c93d40
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1321042426/Ole10Native 277619 bytes
SHA-256: 93de34593e8dfd6098fa7b33941b9863f5f13f2a2681fd1b5d88ab42a74f0dfd

Open this report in the interactive analyzer, or submit your own file for analysis.