Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 cf555b59e6bb959f…

MALICIOUS

Office (OLE) / .DOC

279.5 KB Created: 2010-03-02 03:51:00 Authoring application: Microsoft Office Word
MD5: 2964b7a25199709fb7afaa473befeeba SHA-1: 9d2d9bee1471112a5dfe6a79de89af4804b2f8d2 SHA-256: cf555b59e6bb959fc77bfba368030a3efb5195b98e11d1a33a4b72bed3ed68b7
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of ShellExecute, URLDownloadToFile, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is designed to download and execute further payloads. The presence of an embedded executable and the use of these APIs strongly indicate a malware delivery mechanism.

Heuristics 10

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Delf-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Delf-10
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003693.exe
b9fbeb121c34c3a28cd8bf420fd860dde33768a2b92c4321303b4d17002a5ce3		 embedded-pe Office MZ+PE at offset 0x3693 272237 bytes
Detection
ClamAV: Win.Trojan.Delf-10
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ole10native_00.bin
4d9c062f5a65161eca9353c4b9bfac6bc68c26d4045d8100b3bbea4cddc818c9		 ole-package OLE Ole10Native stream: ObjectPool/_1329046699/Ole10Native 263829 bytes
Detection
ClamAV: Win.Trojan.Delf-10
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.