Office (OLE) malware analysis — malicious · ec0facf3edf30f2e

MALICIOUS

Office (OLE)

122.0 KB Created: 2012-10-16 19:15:00 Authoring application: Microsoft Office Word First seen: 2019-01-31

MD5: 6af3a3ea4951de3866683b65ff894cac SHA-1: c60629ed0c8d5bc55868a06a4902210f14c7f3d6 SHA-256: ec0facf3edf30f2e8ad9c05ebdc5c78e826ac404ca729e7835def5cd66379164

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE file that contains an embedded executable payload, indicated by the 'OFFICE_PACKAGE_RISKY_FILE' heuristic. It also references WinExec and VirtualAlloc APIs, suggesting execution capabilities. The presence of Ole10Native points to a potential exploitation of CVE-2026-21514, which is often used to deliver second-stage malware.

Heuristics 4

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1199195034/Ole10Native	41580 bytes
SHA-256: `8266258f854cabec116cd02a7401dbfc718d398bff01d9640f65b429cc1cd82f`

Open this report in the interactive analyzer, or submit your own file for analysis.