Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0ce4f777e5c33e46…

MALICIOUS

Office (OLE)

36.0 KB Created: 1999-03-08 10:30:00 Authoring application: Microsoft Word for Windows 95
MD5: 01ff08b0a107bbd82c57fe2f8ee99e34 SHA-1: b667a5d35fa9f8cc07eb4cf49add8ad8e404d25b SHA-256: 0ce4f777e5c33e465478c0e28eb178681bd4d43f8888c8bc9962375e818641d7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. ClamAV identifies it as Win.Trojan.Tm-1. The document body contains unusual strings and references to AUTOOPEN, suggesting it may contain macro code designed to execute upon opening. The primary attack vector appears to be exploitation for client execution, likely leading to a secondary payload download.

Heuristics 2

  • ClamAV: Win.Trojan.Tm-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tm-1
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 36,864 bytes but its declared streams total only 17,262 bytes — 19,602 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.