MALICIOUS
582
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1105 Ingress Tool Transfer
This OLE document contains an embedded PE executable and exhibits suspicious characteristics such as a large slack anomaly and references to process creation and file downloading APIs. ClamAV detected it as Win.Trojan.Agent-6943819-1. The document body states 'This is an Antivirus Bait file,' which is a common lure to disguise malicious content.
Heuristics 13
-
ClamAV: Win.Trojan.Agent-6943819-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-6943819-1
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 857,162 bytes but its declared streams total only 12,288 bytes — 844,874 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.verisign.com0 In document text (OLE body)
- http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In document text (OLE body)
- http://office.microsoft.comIn document text (OLE body)
- https://www.verisign.com/rpaIn document text (OLE body)
- https://www.verisign.com/rpa01In document text (OLE body)
- http://crl.verisign.com/pca3.crl0In document text (OLE body)
- http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn document text (OLE body)
- https://www.verisign.com/rpa0In document text (OLE body)
- http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In document text (OLE body)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0000660a.exe |
embedded-pe | Office MZ+PE at offset 0x660A | 831040 bytes |
SHA-256: 5ae0dd8b5cee2480bfc4869b76bf49487993cfc20dc88b04ec72501f6a187096 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-6943819-1
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off00003605.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x3605 | 843333 bytes |
SHA-256: 10809db2d99b82b9a094628446363bee9c32a9991ee499602b1a304fd3088d2f |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-6943819-1
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off00006480.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6480 | 831434 bytes |
SHA-256: acd6681617110275662740b4299fa13f16022a90c9684846d7b67018dc4f2cdc |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-6943819-1
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_0000660a_1.exe |
embedded-pe | Office MZ+PE at offset 0x660A | 395967 bytes |
SHA-256: 017a26e1312f18458dd72f76dabc941ea85a4ca91ede50a3c915fb47b88019d9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off0006a381.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6A381 | 422089 bytes |
SHA-256: 2ceac8c85864b8528f8f16a972da78558694496370c97f25e250981b6f216290 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
embedded_office_off0006d986.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x6D986 | 408260 bytes |
SHA-256: 9f47698654d25cdb451614415f7eead79957f0f67243b1cbc882fdb2f077375e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmdln
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.