Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e8a985d7522e5eff…

MALICIOUS

Office (OOXML)

1.72 MB Created: 2014-06-23 16:05:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-05-25
MD5: 848e3a5824049f1a8e9a632460cbe2ca SHA-1: bdf0f1b55a5f9cecab5ac46166f23a5982e78ac9 SHA-256: e8a985d7522e5efff800240a3006df596c1df029d590037c7f8792e12bbb8a3e
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains an embedded OLE object with Ole10Native indicators, strongly suggesting exploitation of CVE-2026-21514. This object functions as a download-and-execute script, fetching a payload from URLs such as http://nsis.sf.net/NSIS_Error and http://www.w3.org/1999/02/22-rdf-syntax-ns#. The presence of an executable payload within the OLE package confirms its role as a dropper.

Heuristics 7

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://www.lipsum.com/
  • Payload URL recovered from embedded OLE object (14 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OOXML body / shared strings)
    • http://sv.symcd.com0&In document text (OOXML body / shared strings)
    • http://s2.symcb.com0In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://nsis.sf.net/NSIS_ErrorEmbedded OLE package script
    • http://crl.verisign.com/pca3.crl0In document text (OOXML body / shared strings)
    • https://www.verisign.com/cps0In document text (OOXML body / shared strings)
    • http://logo.verisign.com/vslogo.gif04In document text (OOXML body / shared strings)
    • http://sv.symcb.com/sv.crl0fIn document text (OOXML body / shared strings)
    • https://d.symcb.com/cps0%In document text (OOXML body / shared strings)
    • https://d.symcb.com/rpa0In document text (OOXML body / shared strings)
    • http://sv.symcb.com/sv.crt0In document text (OOXML body / shared strings)
    • http://www.symauth.com/cps0In document text (OOXML body / shared strings)
    • http://www.symauth.com/rpa00In document text (OOXML body / shared strings)
    • http://s1.symcb.com/pca3-g5.crl0In document text (OOXML body / shared strings)
    • http://www.lipsum.com/Document hyperlink
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Embedded OLE package script
    • http://ns.adobe.com/xap/1.0/Embedded OLE package script
    • http://ns.adobe.com/xap/1.0/mm/Embedded OLE package script
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Embedded OLE package script
    • http://www.symauth.com/cps0(In document text (OOXML body / shared strings)

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 284160 bytes
SHA-256: f8d69a4ef3de840d0e5d4daf2e73c19c8e99dd3648d8aaadd9bab5d507d13b96
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect Carved artifact entropy is 7.93, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 273604 bytes
SHA-256: eb0910f62ce9f858176db7f91144af009d2a41eb03eaac1f12121cfa073ce7d1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_LOADLIBRARY, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect Carved artifact entropy is 7.99, consistent with packed or encrypted content.
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 1553920 bytes
SHA-256: 393b97cbf23b544f41a60fd1d90f63c5e89a96205272625406380616103b6bea
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 1214976 bytes
SHA-256: b24a21b591658417b772d951dacb5395dceb0c6a7bd9c77d8d046c1fbb69b6b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1197414 bytes
SHA-256: da0715d85ade9fb2fd52bd3a34e9a58726cad5c1fd9aa8915727a2cc18db167c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: word/media/image3.emf 1454420 bytes
SHA-256: 8dda94383dfad7d1df2cefead311ce9771c050eb0af75f3b0403106e9c5a5e69
emf_01.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5000 bytes
SHA-256: 46b28911825f8f108ff87a0ede5452b58cc40873f1c5403d4e6dfbd44cf1bd98
emf_02.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5060 bytes
SHA-256: 4f8184209be820d3d89a928f63a9ff2e805c02a80fedaa9dbf48d8ddcf398385

Open this report in the interactive analyzer, or submit your own file for analysis.