Win.Dropper.Agent-30176 Office (OLE) / .DOC malware analysis — malicious · 6d72715d8f6cdb70

MALICIOUS

Office (OLE) / .DOC

81.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 6634eacd3dae03be9767ac91b71decba SHA-1: 3bb01141b195cc745f095e9fcdf9dd1651b0192e SHA-256: 6d72715d8f6cdb70e705dc580d21f7977f3d05077433a84a90ac92a69d0598f3

160 Risk Score

Malware Insights

Win.Dropper.Agent-30176 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Dropper.Agent-30176. Static analysis revealed XOR-encoded strings and a large slack space anomaly within the OLE structure, indicative of obfuscation and potential payload hiding. The document's content and structure suggest it is designed to exploit a vulnerability, likely leading to the download and execution of a secondary malicious component.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA'
ClamAV: Win.Dropper.Agent-30176 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Agent-30176
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 83,456 bytes but its declared streams total only 16,486 bytes — 66,970 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.