Office (OLE) / .TMP malware analysis — malicious · 38fb63536614f8cc

MALICIOUS

Office (OLE) / .TMP

76.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: a943434bbe5fe539b9ff4960395dab0b SHA-1: f21d2b2a2a1187c6e8bfa38474b3b32231f084da SHA-256: 38fb63536614f8cc6492e77b1cf8f5ec74d99255b676df42181d07f2aeebeee9

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits a large slack space anomaly and PEB access, indicative of a packed or obfuscated executable. The embedded script attempts to reconstruct a URL from concatenated strings, likely for downloading a second-stage payload. Specifically, it reconstructs the URL 'evil.tld' and writes to the registry key 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\DisabledItems' for persistence.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 77,824 bytes but its declared streams total only 16,486 bytes — 61,338 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.