Office (OLE) / .TMP malware analysis — malicious · 3b75357081db9969

MALICIOUS

Office (OLE) / .TMP

172.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: f083b38e84c0a1270be4407fcdc8f88e SHA-1: 764046e3e98caaee2cb6edee96e803c26036b06f SHA-256: 3b75357081db9969732f4ae81c7cbd41ddb1fd4c338778e2e4f727884cb840a2

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the execution of dynamic code or loading of external libraries. The document body presents itself as an application form for various permits, a common lure for social engineering. Although no scripts were explicitly extracted, the API calls strongly suggest the file is a downloader or dropper for further malicious activity.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 176,640 bytes but its declared streams total only 21,308 bytes — 155,332 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.