Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bc971f9b46f60bcc…

MALICIOUS

Office (OLE)

44.0 KB Created: 1997-04-26 16:27:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: ce9d56681c2dfafa1febf23f4a96984a SHA-1: 2a0e6e7dd9d85e9a58b3dedb4e7ae8a139ae76b6 SHA-256: bc971f9b46f60bcc213e32aa8b68e8443ef9d5ce2a60c55afebe16d169adac36
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a critical heuristic firing for Legacy.Trojan.Agent-444. The document body contains text that suggests a social engineering lure, specifically mentioning "Virus Infected Bait File" and author names, which is a common tactic to trick users into interacting with malicious content. The OLE slack anomaly suggests potential obfuscation or embedded malicious content.

Heuristics 2

  • ClamAV: Legacy.Trojan.Agent-444 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-444
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 45,056 bytes but its declared streams total only 26,910 bytes — 18,146 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.