Office (OLE) / .TMP malware analysis — malicious · 4e6ee603721edc4d

MALICIOUS

Office (OLE) / .TMP

106.5 KB Created: 2009-03-23 02:20:00 Authoring application: Microsoft Office Word

MD5: 66d9a07fc455c3aa6613a5e9d99384b1 SHA-1: 2e1589eaa186bf984b4cf706ae545edbb280550e SHA-256: 4e6ee603721edc4dd3991b97fba7e66415af1db2189e6237662ccfb49b9ff8c3

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation. Heuristics indicate XOR-encoded strings and a GetPC stub, commonly used to hide malicious code. The lack of readable document body text or extracted scripts prevents a more detailed analysis of the payload delivery mechanism.

Heuristics 3

XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'CreateProcessA', 'ExitProcess', 'CreateFileA'
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,057 bytes but its declared streams total only 20,639 bytes — 88,418 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.