Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e5df4468b3751e21…

MALICIOUS

Office (OLE) / .DOC

645.5 KB Created: 2007-01-12 17:50:00 Authoring application: Microsoft Office Word
MD5: e8f5fe2eb504fb66ed1face87eaf03b4 SHA-1: f94babe0f912108e3c05a91e1287c196ebf35508 SHA-256: e5df4468b3751e2161e127488ad3b34b0f62b4d4bf8e9311eba82fd12287b31c
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document with an embedded PE executable and references to LoadLibrary and GetProcAddress APIs, indicating dynamic code loading. The presence of an embedded executable and the Ole10Native structure strongly suggest the document is designed to drop and execute a secondary payload. The embedded URLs, while not definitively malicious, are associated with the document's content.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cssmi.qc.ca/cgi-bin/profil/histogr-base.GIF
    • http://www.cssmi.qc.ca/cgi-bin/profil/hist-base2.gif
    • http://users.skynet.be/ameurant/francinfo/validite/index.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
31113f0710d2984b60c74238bf423738d41894225e5b28a10bf19561390f673b		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 851 bytes
embedded_office_0008de6a.exe
942fad0ab4790d33fc81a24150b9337e36800c1f23cc00ee0a3443942ea54d13		 embedded-pe Office MZ+PE at offset 0x8DE6A 79766 bytes
ole10native_00.bin
6a874bd221d596f0a0a90bac520b8426ab1bbb7ead735354cb68d2005a545f5a		 ole-package OLE Ole10Native stream: ObjectPool/_1232439392/Ole10Native 28268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.