Office (OLE) malware analysis — malicious · 40fdf89e868b294a

MALICIOUS

Office (OLE)

126.0 KB Created: 2017-12-07 10:10:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: 951140ed56c234de713a9c1c016f9dde SHA-1: 5c1ada03794088d84528b401c894339bbc8d3ef9 SHA-256: 40fdf89e868b294a5d9e534fe2cd5800073c1f67677b1a88315bfc9c29153ca3

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature indicating it is a phishing lure dropper. The OLE slack anomaly suggests the presence of hidden or obfuscated data within the document. While the document body is heavily corrupted and unreadable, the ClamAV detection strongly implies an intent to deliver a malicious payload, likely through a phishing lure.

Heuristics 3

ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 129,024 bytes but its declared streams total only 24,685 bytes — 104,339 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.