Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d2269017a3ffbb3e…

MALICIOUS

Office (OLE)

828.5 KB Created: 2014-12-02 01:31:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: fdd4f8ba09da78e1ff2957305d71563f SHA-1: 737baa0f984a5ae33619c69cd22b916d24c7f15f SHA-256: d2269017a3ffbb3eebe4834cda424f872e8a4cee6d1affc771a3b635340f912f
422 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample exploits CVE-2007-3899 and CVE-2026-21514 within an OLE package to drop and execute a payload. The embedded package contains references to network fetching and execution APIs, indicating it likely downloads and runs a second-stage executable. The document body's claim of a resume and instruction to 'Enable Editing' are typical social engineering lures for malicious documents.

Heuristics 10

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Dropper.Agent-6519265-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6519265-0
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    Attempted x86 opcode disassembly
    000992FA  e800000000        call 0x992ff
000992FF  58                pop eax
00099300  055a0b0000        add eax, 0xb5a
00099305  8b30              mov esi, dword ptr [eax]
00099307  03f0              add esi, eax
00099309  2bc0              sub eax, eax
0009930B  8bfe              mov edi, esi
0009930D  66ad              lodsw ax, word ptr [esi]
0009930F  c1e00c            shl eax, 0xc
00099312  8bc8              mov ecx, eax
00099314  50                push eax
00099315  ad                lodsd eax, dword ptr [esi]
00099316  2bc8              sub ecx, eax
00099318  03f1              add esi, ecx
0009931A  8bc8              mov ecx, eax
0009931C  57                push edi
0009931D  51                push ecx
0009931E  49                dec ecx
0009931F  8a443906          mov al, byte ptr [ecx + edi + 6]
00099323  880431            mov byte ptr [ecx + esi], al
00099326  75f6              jne 0x9931e
00099328  2bc0              sub eax, eax
0009932A  ac                lodsb al, byte ptr [esi]
0009932B  8bc8              mov ecx, eax
0009932D  80e1f0            and cl, 0xf0
00099330  240f              and al, 0xf
00099332  c1e10c            shl ecx, 0xc
00099335  8ae8              mov ch, al
00099337  ac                lodsb al, byte ptr [esi]
00099338  0bc8              or ecx, eax
0009933A  51                push ecx
0009933B  02cd              add cl, ch
0009933D  bd00fdffff        mov ebp, 0xfffffd00
00099342  d3e5              shl ebp, cl
00099344  59                pop ecx
00099345  58                pop eax
00099346  8bdc              mov ebx, esp
00099348  8da46c90f1ffff    lea esp, [esp + ebp*2 - 0xe70]
0009934F  51                push ecx
00099350  2bc9              sub ecx, ecx
00099352  51                push ecx
00099353  51                push ecx
00099354  8bcc              mov ecx, esp
00099356  51                push ecx
00099357  668b17            mov dx, word ptr [edi]
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 Embedded OLE package script
    • http://ts-ocsp.ws.symantec.com07Embedded OLE package script
    • http://crl.thawte.com/ThawteTimestampingCA.crl0Embedded OLE package script
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0Embedded OLE package script
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0Embedded OLE package script

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1483034893/Ole10Native 795690 bytes
SHA-256: fe65ae56e5d09846dd169a2756a6c20cdd3a2bc83123e0d7e1c135a78edb5226
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_STR_SHELLEXEC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, shell32.dll, KERNEL32.DLL, ADVAPI32.DLL, GetProcAddress Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.