Win.Downloader.20749-2 — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 f104a108f820ad26…

MALICIOUS

Office (OLE) / .DOC

918.0 KB Created: 2010-03-05 04:59:00 Authoring application: Microsoft Office Word
MD5: d62f5eb9a77c9e320d851577e8d9e94e SHA-1: 804bc895c33b8370e27f9c7503d6cdb84768ee85 SHA-256: f104a108f820ad261ad6b71e4b760ae5cf549265d93c77a470d5bc8772afb7db
280 Risk Score

Malware Insights

Win.Downloader.20749-2 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is a malicious OLE document containing an embedded PE executable. The document body attempts to socially engineer the user into opening the embedded file by presenting it as a holiday greeting. The embedded executable was detected by ClamAV as Win.Downloader.20749-2, indicating its purpose is to download and execute additional malicious payloads. References to VirtualAlloc and GetProcAddress APIs suggest dynamic code loading and execution capabilities within the embedded payload.

Heuristics 6

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Downloader.20749-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.20749-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004c6d.exe
0f6699f323c2a27b47e892b3d577d917fbe217f5e3aee85605d0794893d9f879		 embedded-pe Office MZ+PE at offset 0x4C6D 920467 bytes
Detection
ClamAV: Win.Downloader.20749-2
Obfuscation or payload: unlikely
ole10native_00.bin
aa089a42f54a253f1e7bfa4e99a0f458c7e20ed460ac1e42119bca62234bf56c		 ole-package OLE Ole10Native stream: ObjectPool/_1329494255/Ole10Native 916591 bytes
Detection
ClamAV: Win.Downloader.20749-2
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.