Win.Dropper.Agent-34643 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 5e429529b1d5e093…

MALICIOUS

Office (OLE) / .XLS

197.0 KB Created: 2004-10-11 06:31:23 Authoring application: Microsoft Excel
MD5: 3cfa48d771bff3d6e56333446e514b86 SHA-1: 0ed6a0b5d79db4e2f5defc2ec60f524884a4053d SHA-256: 5e429529b1d5e093c899046e15a010e18ac3e20b988612b25ca4074ba2661d8a
140 Risk Score

Malware Insights

Win.Dropper.Agent-34643 · confidence 90%

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The critical ClamAV detection identifies the file as Win.Dropper.Agent-34643, a known dropper. The heuristic firing for SC_STR_WSCRIPT indicates the presence of Windows Script Host, suggesting the document is designed to execute malicious scripts. The OLE slack anomaly is a common characteristic of packed or obfuscated malicious files.

Heuristics 3

  • ClamAV: Win.Dropper.Agent-34643 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Agent-34643
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 201,728 bytes but its declared streams total only 40,570 bytes — 161,158 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.