Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d735febefeef8650…

MALICIOUS

Office (OLE) / .DOC

197.0 KB Created: 2010-02-18 15:20:00 Authoring application: Microsoft Office Word
MD5: 0687a58ddcb20e025549a39e3113ff0a SHA-1: 5997fdf605a0d130d698a6c0cf8e93688fca256e SHA-256: d735febefeef865048e10f86c1c5c14b438669481cd479b988e25b87acd0f961
382 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is a Microsoft Word document containing an embedded Portable Executable (PE) file, identified by the 'OLE_EMBEDDED_EXE' heuristic. The document body simply states 'EMBED Package', suggesting a lure to execute the embedded file. The embedded PE file was detected by ClamAV as 'Win.Trojan.Netbus-15'. The presence of API calls like ShellExecute, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress within the document's OLE structure further indicates malicious intent, likely related to the execution and manipulation of the embedded payload.

Heuristics 10

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Netbus-15 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Netbus-15
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003476.exe
2b67dc3a0e20f7fd088b9fe3fe5126e62ae26d2778dff465fd2962f86d04dc4a		 embedded-pe Office MZ+PE at offset 0x3476 188298 bytes
Detection
ClamAV: Win.Trojan.Netbus-15
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ole10native_00.bin
6d694baf80bc3b9472c69c3293cdf7c55de8081eb3084c529ebc4f7def10990f		 ole-package OLE Ole10Native stream: ObjectPool/_1328015237/Ole10Native 182392 bytes
Detection
ClamAV: Win.Trojan.Netbus-15
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.