Win.Trojan.Tristate-2 Office (OLE) / .DOC malware analysis — malicious · e2a6084fbccf4b19

MALICIOUS

Office (OLE) / .DOC

51.5 KB Created: 2000-09-12 17:48:00 Authoring application: Microsoft Word 8.0

MD5: 9cc2bed1d9ce5482c344e4940719fafe SHA-1: 059825efa41b150568fca30567b4a21fd1a9f98f SHA-256: e2a6084fbccf4b19d60bb1356c11ff2b2637d8ac4436ea4758681df711f1bd13

100 Risk Score

Malware Insights

Win.Trojan.Tristate-2 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.Tristate-2. The document body explicitly warns of a macro virus infection, indicating a social engineering tactic to prompt the user to enable macros. The large slack space in the OLE structure is also anomalous, though its specific role is unclear without further analysis.

Heuristics 2

ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Tristate-2
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 52,736 bytes but its declared streams total only 18,572 bytes — 34,164 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.