MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature Win.Trojan.NPad-1. Static analysis reveals suspicious findings related to embedded Office documents, specifically indicating issues with OLE streams and directory cycles. This suggests the file likely exploits a vulnerability within the Office application itself to achieve code execution.
Heuristics 3
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
ClamAV: Win.Trojan.NPad-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.NPad-1
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_off00002278.ole51f12ea07810fb658d01ce8bd77f4c18b461e04ff520cc98074809b3a902cfdb |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x2278 | 15752 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.