MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is an OLE document with legacy WordBasic macro virus markers, indicating the presence of malicious macros. The large slack space anomaly further suggests potential obfuscation or packed code. The ClamAV detection as Win.Trojan.Cap-1 confirms its malicious nature, likely involving macro execution to download or execute a payload.
Heuristics 3
-
ClamAV: Win.Trojan.Cap-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Cap-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 40,448 bytes but its declared streams total only 20,574 bytes — 19,874 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.