Office (OLE) / .DOC malware analysis — malicious · fe5bdf0ee70b228b

MALICIOUS

Office (OLE) / .DOC

129.5 KB Authoring application: TX_WORD 14.0.510.500

MD5: 8d9f17b7dbb395f39353c62065e03b78 SHA-1: 937c2109daca2b4d5beb930df67820e9f4504aca SHA-256: fe5bdf0ee70b228b6465f0b3d8831aea917cfdcea4835c7290bc41395529b5cd

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The document contains an embedded PE executable, identified by an MZ header. Heuristics also indicate the use of WinExec and VirtualAlloc APIs, suggesting the execution of malicious code. The presence of an embedded executable strongly points towards a malware delivery attempt, likely relying on the user to open or interact with the embedded file. The document body itself appears to be a technical paper, which may serve as a lure to disguise the malicious payload.

Heuristics 4

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000509e.exe` `82f489444c614694764a9e41101595e3ea3a9c8d79a0114ce40e7bfadd7534f9`	embedded-pe	Office MZ+PE at offset 0x509E	111970 bytes
`ole10native_00.bin` `b20f6c21aec432399b31454e7962a58787f0382465bff1cfa9d21c8b171178d6`	ole-package	OLE Ole10Native stream: ObjectPool/_1/Ole10Native	41580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.