Win.Trojan.Cap-1 — Office (OLE) / .TMP malware analysis

Static analysis result for SHA-256 70de62684799576a…

MALICIOUS

Office (OLE) / .TMP

29.5 KB Created: 2000-01-21 21:10:00 Authoring application: Microsoft Word for Windows 95
MD5: e6f770b39de480c99c54f8381f38a998 SHA-1: 2210b3caaa5d3631adc50e7c4dfe6fa636ae1b79 SHA-256: 70de62684799576adc9c4e780dc524d44617a5fed79f004b003a31a8b0226c08
142 Risk Score

Malware Insights

Win.Trojan.Cap-1 · confidence 85%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is identified as a malicious OLE file with critical heuristic findings related to its structure, including empty streams and directory cycles, suggesting deliberate obfuscation or corruption. ClamAV detection as 'Win.Trojan.Cap-1' strongly indicates malicious intent. The embedded benign URL is likely a lure or unrelated content.

Heuristics 4

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • ClamAV: Win.Trojan.Cap-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Cap-1
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://online.sfsu.edu/~shu/engr478/engr478.htm

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00003a5e.ole
9007cb23dcc80c5a5694520d25535a28a97fcb90324909b526f8dc5b0faf76e1		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x3A5E 15266 bytes
embedded_office_off00003e8f.ole
7bc2e80af617703d51ef6d621b7a7c462862442c40172ff2e510025e50c3e14b		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x3E8F 14193 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.