Win.Dropper.Agent-34444 Office (OLE) malware analysis — malicious · 905bbba4b7e3ed50

MALICIOUS

Office (OLE)

117.6 KB Created: 2007-05-23 15:32:00 Authoring application: Microsoft Office Word First seen: 2015-09-24

MD5: 14823ae0e1296c6daa76bbab96f6f510 SHA-1: add2a185a3c57db96031ff6644f0a914fac7ccce SHA-256: 905bbba4b7e3ed50a92eebbc19217a025dd77e2079852ece0affef5e50f2b9ae

100 Risk Score

Malware Insights

Win.Dropper.Agent-34444 · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. ClamAV identified it as Win.Dropper.Agent-34444, a known dropper. The presence of slack space and the dropper signature suggest the file is designed to download and execute a secondary payload.

Heuristics 2

ClamAV: Win.Dropper.Agent-34444 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Agent-34444
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 120,424 bytes but its declared streams total only 16,543 bytes — 103,881 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.