Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 eadae73398980c34…

MALICIOUS

Office (OLE) / .DOCX

71.5 KB Created: 2020-01-28 19:57:00 Authoring application: Microsoft Office Word
MD5: d92a4934c95642d4aebf17b180564f55 SHA-1: 24886e7ae4649cec7e85a352096455bcff89312a SHA-256: eadae73398980c346cf5783b2f1119cc8af3619ce405f32b943b56013c27d597
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.002 Component Object Model Hijacking

The file is an OLE document containing embedded OLE packages, identified as potentially malicious. Heuristics indicate a possible CVE-2026-21514 exploitation attempt and that the embedded packages contain executable or script files, specifically identified as .bat files. The document also contains a lure to enable macros or editing, a common tactic for malware droppers. The embedded artifacts 'ole10native_00.bin' and 'ole10native_01.bin' are the primary indicators of compromise.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
b9b55fd0b62a79bc64b32af0f07bd7e4923ace694487c30f0adfc1af8dcce304		 ole-package OLE Ole10Native stream: ObjectPool/_1642761317/Ole10Native 25689 bytes
ole10native_01.bin
89ffc8699a785c4c44309517d6ced0448ab2fb7c91c660c7c596b0f99d6407fa		 ole-package OLE Ole10Native stream: ObjectPool/_1642761318/Ole10Native 25716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.