Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb6def490e3a5034…

MALICIOUS

Office (OLE)

39.5 KB Created: 1999-03-17 12:28:00 Authoring application: Microsoft Word 6.0 First seen: 2015-09-30
MD5: 9a1c2499daa946fc6fe9a684b1b935b0 SHA-1: 10220fec9b1da839bb9b2b78cb15c391eeecc559 SHA-256: cb6def490e3a5034776878b5f6776e0318913cf722eb3fd322fe0877ff578213
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is an OLE document with legacy WordBasic macro virus markers, indicating the presence of malicious macros. The large slack space anomaly further suggests potential obfuscation or packed code. The ClamAV detection as Win.Trojan.Cap-1 confirms its malicious nature, likely involving macro execution to download or execute a payload.

Heuristics 3

  • ClamAV: Win.Trojan.Cap-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Cap-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 40,448 bytes but its declared streams total only 20,574 bytes — 19,874 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).