Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cf7fc3b0fedfb4e2…

MALICIOUS

Office (OLE)

335.0 KB Created: 2017-07-12 21:29:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 5386f83ca66356c6bcfc3e8f97655c43 SHA-1: 9b603b3a9761b41846b9aab49d32619037af890c SHA-256: cf7fc3b0fedfb4e2c9ea22b161ccaeee6d455d221ffaeba127da2607597e0e39
382 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that exploits CVE-2007-3899 to drop an embedded PE executable. The document body suggests a compatibility pack lure to encourage user interaction with the embedded object. The presence of ShellExecute and LoadLibrary API calls, along with an embedded PE executable, indicates the file's intent to execute a malicious payload. The document also contains a password-protected archive lure, commonly used to bypass security controls.

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000038b5.exe embedded-pe Office MZ+PE at offset 0x38B5 328523 bytes
SHA-256: 0edef5acad777573ab91820b2adfdac7c4af7325bea3a9dc546b04d3334c68c2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.67, consistent with packed or encrypted content.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1561403746/Ole10Native 324593 bytes
SHA-256: 665d44806a93390ec6923bb5b049be98eae374b50280f7a35933213576dfe9db
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.71, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.