Office (OLE) / .DOC malware analysis — malicious · dc82c7cd440d9307

MALICIOUS

Office (OLE) / .DOC

102.5 KB Created: 2000-12-09 22:33:00 Authoring application: Microsoft Word 9.0

MD5: 3bb692fc2a31eaaa81e95449d4cf06fd SHA-1: 1c60144133c4a6950145655ee0e07217710e766c SHA-256: dc82c7cd440d9307c61029d8172cb2026ea62668b09cbfc97debc697ff95d615

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an OLE document that fires heuristics for Ole10Native exploitation (CVE_2026_21514) and WinExec/VirtualAlloc API calls, indicating it attempts to execute code. The presence of an embedded OLE package further supports this. The document body content is a legitimate-looking government decree, suggesting a lure to trick the user into opening the malicious content. The primary attack vector appears to be exploiting a vulnerability within the OLE object to achieve arbitrary code execution, likely for downloading and running a second-stage payload.

Heuristics 3

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin` `432dbe7c3dbb23aa6cef34e62915157a0e23d7a11283288b3bea941a0ab9be12`	ole-package	OLE Ole10Native stream: ObjectPool/_996307336/Ole10Native	41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.