Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e4f51447537fed87…

MALICIOUS

Office (OLE) / .DOC

817.0 KB Created: 2010-09-19 03:13:00 Authoring application: Microsoft Office Word
MD5: caa4424264db20b96c7db30305a8320b SHA-1: 8bf59bc3cc42b33576879bf1fd720f2dbdade34c SHA-256: e4f51447537fed878b414591ee82f3b42171a5b1a6f71c2b0a79b1c5329dd1d3
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The presence of 'LoadLibrary' and 'GetProcAddress' API calls, along with the 'Ole10Native' heuristic, suggests an attempt to exploit a vulnerability or load external code. ClamAV detections indicate the packed artifact 'Win.Packed.Ardamax-6965118-0' is malicious. The Document_Open macro is likely responsible for initiating the malicious activity, potentially downloading and executing a second-stage payload.

Heuristics 8

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Win.Packed.Ardamax-6965118-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Ardamax-6965118-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
c12a9afc501f394aded96617370022359c4aadbcbfe9b3aac3c0894edacfaac4		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 367 bytes
ole10native_00.bin
dff0eb310f82a1523edc4d079e5914f36980bbf752778c374be5dd9fa758f055		 ole-package OLE Ole10Native stream: ObjectPool/_1346396403/Ole10Native 807692 bytes
Detection
ClamAV: Win.Packed.Ardamax-6965118-0
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.