Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 eae019b3b9e4c1d6…

MALICIOUS

Office (OLE) / .DOC

886.0 KB Created: 2009-09-22 14:25:00 Authoring application: Microsoft Word 8.0
MD5: ed1a3d5c06a768eae61469ba7a958e1a SHA-1: d864b53a7ce92366cf17d912c984f140f870e29b SHA-256: eae019b3b9e4c1d6a17e401955d6506ea2e9768d5b6e94d3efd9d7b429c9f087
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a Microsoft Word document containing an embedded PE executable, identified by ClamAV as Doc.Trojan.Beast-11. The document body discusses a legal agreement, likely a lure to disguise the malicious embedded content. The presence of WinExec, VirtualAlloc, and LoadLibrary API references, along with the embedded executable and Ole10Native structure, strongly suggests the document is designed to execute a malicious payload.

Heuristics 7

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Doc.Trojan.Beast-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beast-11
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000b5e04.exe
ebdcf82d3da61f6f974f19e8a427e6884c45999561cbca1aa317efdb9872e4c7		 embedded-pe Office MZ+PE at offset 0xB5E04 162300 bytes
Detection
ClamAV: Doc.Trojan.Beast-11
Obfuscation or payload: unlikely
ole10native_00.bin
3e03fe1b3ffab88cd69245ea02e7244cee60c2f45f9c9fde6e93876ed782bfff		 ole-package OLE Ole10Native stream: ObjectPool/_1129621659/Ole10Native 56428 bytes
Detection
ClamAV: Doc.Trojan.Beast-11
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.