Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eec483dfa20f9fb0…

MALICIOUS

Office (OLE)

662.5 KB Created: 2007-11-30 10:21:00 Authoring application: Microsoft Word 10.0
MD5: 48a4df8b83158bfa148ae71c55da054e SHA-1: b155395c4cdb1acc129c6a5eeaba1e31b6d1d788 SHA-256: eec483dfa20f9fb0a323ff62751048c5ea2796ce7330c36a6e9bd359761abdb5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File T1059.001 PowerShell

The sample is an OLE document containing an embedded PE executable. Heuristics indicate the potential for exploitation of CVE-2026-21514 and the use of WinExec and VirtualAlloc APIs, suggesting the embedded executable is likely malicious. The document body itself is a business proposal, a common lure for social engineering.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00085204.exe
f8789717125d019b3d43af33c46c6e14a00b1db1c47e59d261d85cb3fbadf9ab		 embedded-pe Office MZ+PE at offset 0x85204 133116 bytes
ole10native_00.bin
df825376aa04dc1d760780af63fc2060fc08a24e8f93806e3d9ee8e1ac2e8cb2		 ole-package OLE Ole10Native stream: ObjectPool/_1044115590/Ole10Native 41580 bytes
ole10native_01.bin
782c797037638626c638ec00e7126acd86aef51736d1ae9c9af6adc31b08f237		 ole-package OLE Ole10Native stream: ObjectPool/_983772557/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.