Win.Dropper.NetWire-9974918-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 d8ccfc8d5a0251a0…

MALICIOUS

Office (OOXML)

521.8 KB Created: 2021-08-23 10:02:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: ee9589a77f665ea23cacfebd85fa3b06 SHA-1: fd3dd11a1cd8f301e099629582a0ea90c2d11c69 SHA-256: d8ccfc8d5a0251a041ad2675c5895dd4cbc2eed4c98459365929ce0354f459cf
244 Risk Score

Malware Insights

Win.Dropper.NetWire-9974918-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1129 Execution through API

The file is identified as malicious by ClamAV as Win.Dropper.NetWire-9974918-0. Static analysis revealed an embedded OLE object with indicators for CVE-2026-21514, which is designed to drop an auto-executable payload. The presence of an embedded OLE object with executable extensions strongly suggests this document is intended to deliver a secondary malicious file.

Heuristics 7

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Win.Dropper.NetWire-9974918-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.NetWire-9974918-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
742779ae8ae4c07aa67315f04763019d5f21a542bb331d3004396f6cfab4f6f9		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 748544 bytes
Detection
ClamAV: Win.Dropper.NetWire-9974918-0
Obfuscation or payload: likely
Carved artifact entropy is 7.59, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
f9eace3f96aa50238578f09a805055e6d19f1aedeae1d8ea864b987ba77e146c		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 740107 bytes
Detection
ClamAV: Win.Dropper.NetWire-9974918-0
Obfuscation or payload: likely
Carved artifact entropy is 7.62, consistent with packed or encrypted content.
emf_00.emf
b2b4f36c34dc104b3fbd5f733b27662b4eacf77c4cf8b749091140a02d2e5445		 ooxml-emf OOXML EMF part: word/media/image1.emf 5132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.