Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 f46200110df68596…

MALICIOUS

Office (OLE) / .DOCX

72.5 KB Created: 2020-03-05 01:56:00 Authoring application: Microsoft Office Word
MD5: 8d46199038562dcb24839d46c89ed266 SHA-1: b7f7f2bce0891e99a181c9b32ae46c01bdef7cc0 SHA-256: f46200110df685967fe3521360be461b1204f8f39a2aa785c4885fe3f142082b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is identified as malicious by ClamAV as 'Doc.Dropper.Agent-7611665-0'. Static analysis revealed OLE objects with Ole10Native, a known indicator for exploitation attempts like CVE-2026-21514. The presence of a '.bat' extension within the Ole10Native package further suggests it carries an executable or script. The embedded OLE objects are the primary indicators of malicious intent, likely serving as a dropper for further malicious activity.

Heuristics 4

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • ClamAV: Doc.Dropper.Agent-7611665-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7611665-0
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
7997ded27d22f27ffa5e04a28e48f5c477d05256fa7808a22f83f2ea5497200b		 ole-package OLE Ole10Native stream: ObjectPool/_1644849943/Ole10Native 26191 bytes
ole10native_01.bin
520b6fb520d317d1395e90f4770a15fa9d938282875e947e29a7dd48d8f3b373		 ole-package OLE Ole10Native stream: ObjectPool/_1644849944/Ole10Native 26200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.