Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f9b95f3fe54408f2…

MALICIOUS

Office (OLE) / .DOC

200.5 KB Created: 2010-07-05 18:21:00 Authoring application: Microsoft Office Word
MD5: c60fec6c54769de49f8f445d23961d53 SHA-1: 9eefc845acc8e3f9178685537f72da28ea1c4233 SHA-256: f9b95f3fe54408f24e9593853e2e6374016e4188c8d5153ad762d5c4df6ac84d
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a Microsoft Office document containing an embedded PE executable and an OLE object that may exploit CVE-2026-21514. The presence of WinExec and VirtualAlloc API references suggests the embedded executable is designed to run and allocate memory, likely to execute a malicious payload. The embedded executable itself is the primary IOC.

Heuristics 5

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.actamat.org/article/S1359-6454%2802%2900021-6/abstract
    • http://en.wikipedia.org/wiki/Energy-dispersive_X-ray_spectroscopy
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4W0WJ0X-3&_user=10&_coverDate=10%2F31%2F2009&_alid=1278240362&_rdoc=3&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=3&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=16655ab630a4da36aaeacebad46a118d
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4T54285-1&_user=10&_coverDate=05%2F31%2F2009&_alid=1278238921&_rdoc=4&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=14&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=a9854a945d55b8f5afa3385e34093510
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4B3NMF6-1&_user=10&_coverDate=06%2F30%2F2004&_alid=1278238991&_rdoc=5&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=5&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=f696cb98a012c08b6fa13b5871039293
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TY2-48GVPC3-1&_user=10&_coverDate=07%2F31%2F2003&_alid=1278243073&_rdoc=1&_fmt=high&_orig=search&_cdi=5606&_sort=r&_docanchor=&view=c&_ct=3&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=db82391429f25e578298908ace036961
    • http://www.sciencedirect.com/science/journal/10445803
    • http://www.sciencedirect.com/science?_ob=PublicationURL&_tockey=%23TOC%235592%232008%23999409992%23690557%23FLA%23&_cdi=5592&_pubType=J&view=c&_auth=y&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=60a329fd879cf3807ca99c7be3b5cf64
    • http://www.sciencedirect.com/science/journal/13596454
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B82XX-4P5KMDB-5&_user=10&_coverDate=06%2F30%2F2007&_alid=1278244408&_rdoc=9&_fmt=high&_orig=search&_cdi=33042&_sort=r&_docanchor=&view=c&_ct=9&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=5ecabd271eb63998ad32b7ad8a398d0c
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TWS-4TVTJST-2&_user=10&_coverDate=02%2F28%2F2009&_alid=1278247150&_rdoc=9&_fmt=high&_orig=search&_cdi=5570&_sort=r&_docanchor=&view=c&_ct=882&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=96791aa23ea33a1ec620c32df96c95b8
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4Y5GXSD-3&_user=10&_coverDate=06%2F30%2F2010&_alid=1277635085&_rdoc=2&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=42&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=3149739a20d6def3af54dd6412780f4d
    • http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6TX5-4GV8STV-1&_user=10&_coverDate=12%2F31%2F2007&_alid=1277635085&_rdoc=4&_fmt=high&_orig=search&_cdi=5581&_sort=r&_docanchor=&view=c&_ct=42&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=0672aefce8a69e5cf9ef96e818a73b14
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00023a9e.exe
62ffc9e9658024b320b0c97fbe1518709ebba4ebb3516f726d9499fa726406c8		 embedded-pe Office MZ+PE at offset 0x23A9E 59234 bytes
ole10native_00.bin
b20f6c21aec432399b31454e7962a58787f0382465bff1cfa9d21c8b171178d6		 ole-package OLE Ole10Native stream: ObjectPool/_1331911321/Ole10Native 41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.