Office (OLE) malware analysis — malicious · a4626f93fb0dadc9

MALICIOUS

Office (OLE)

32.0 KB Created: 1997-09-17 15:13:00 Authoring application: Microsoft Word 6.0

MD5: 5631f1684a8bd66ebce32688d4d92e7c SHA-1: a2256fe49977c333854c57ae6554c5feffd3c6b9 SHA-256: a4626f93fb0dadc9df10d7f5871fc5bf013ba2f54ebaa1eed8182a66fa0ffdbc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1059.001 PowerShell

The file is an OLE document with a large slack space anomaly and contains an Excel 4.0 (XLM) macro sheet, indicating malicious intent. ClamAV detected it as Win.Trojan.Cap-1. The document body appears to be a generic agreement, likely a lure to encourage the user to enable macros. No scripts were extracted, but the presence of XLM macros suggests an attempt to execute arbitrary code.

Heuristics 3

ClamAV: Win.Trojan.Cap-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Cap-1
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 32,768 bytes but its declared streams total only 15,235 bytes — 17,533 bytes (54%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Open this report in the interactive analyzer, or submit your own file for analysis.