Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ff1df7212e564687…

MALICIOUS

Office (OLE) / .DOC

770.0 KB Created: 2020-02-28 03:49:00 Authoring application: Microsoft Office Word First seen: 2022-05-20
MD5: a9870fa558f63f4ddb181d417209909c SHA-1: 34014f3d6a876c3c1cd0b0763b1819dd225e9443 SHA-256: ff1df7212e5646877e83767fbbc9eba9abebb1d715fac5d00cdbc0698de5c899
284 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1559.002 Component Object Model Hijacking T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The AutoOpen macro triggers the embedded OLE package, which is identified as a PE executable. This executable is likely the primary payload. The presence of Ole10Native and references to LoadLibrary and GetProcAddress APIs suggest the embedded executable is designed to be loaded and executed, potentially exploiting a vulnerability like CVE-2026-21514.

Heuristics 9

  • OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514
    Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
097c54ab9fcd7746ec8bda24edbb0a5d79ba6d7f69f2169b4ee3b6a55f276b5a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 649 bytes
embedded_office_000108f4.exe
bc9c66ff7a074209fde8b9bcd787f49e2592d1830bf7b9fb3547fca5be13c21a		 embedded-pe Office MZ+PE at offset 0x108F4 720652 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ole10native_00.bin
f9d269bf6fc597c8de3b49ff6020e2dec263a58f58f9a900a40d2261757c1f8f		 ole-package OLE Ole10Native stream: ObjectPool/_1714511623/Ole10Native 698558 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.