Malicious Office (OLE) / .WPS — malware analysis report

Static analysis result for SHA-256 e3a98733e244d34f…

MALICIOUS

Office (OLE) / .WPS

134.5 KB
MD5: fd669bd94df994af4d12ddb5dd8b465d SHA-1: 9cbcf35775c0d63f5534643977ce53235fa71f5a SHA-256: e3a98733e244d34fc39bcbc46c4f1256d6104387f26dcf9ba0d90bd2d7c31d94
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document containing an embedded PE executable. The presence of Ole10Native and references to WinExec and VirtualAlloc APIs suggest the embedded executable is designed to be run, likely through exploitation of an OLE vulnerability like CVE-2026-21514. The embedded executable itself is the primary IOC.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001b09e.exe
a193d797422763e90baf243ec11d4244e6a90c29799e1a001a4e17b1aef31382		 embedded-pe Office MZ+PE at offset 0x1B09E 26978 bytes
ole10native_00.bin
b20f6c21aec432399b31454e7962a58787f0382465bff1cfa9d21c8b171178d6		 ole-package OLE Ole10Native stream: Object 1/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.