Office (OLE) / .TMP malware analysis — malicious · 53a5c89591f7a6cb

MALICIOUS

Office (OLE) / .TMP

75.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft Word 6.0 First seen: 2026-05-10

MD5: 04c8a46df863439f7b76a884d20813df SHA-1: fd364bd69bd01e8987b9e2255a4d36042fc3a9a5 SHA-256: 53a5c89591f7a6cb1f89ea959d89db038055de93ced7699dd4ee604da9954550

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is a legacy Microsoft Word document containing a WordBasic macro, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The macro is likely designed to exploit a vulnerability, as suggested by the SC_HEAP_SPRAY and EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE heuristics, which point to heap spraying and suspicious embedded content. The macro's purpose appears to be executing arbitrary code, potentially to download and run a secondary payload, as evidenced by the embedded artifact name 'embedded_office_off00005a44.ole'.

Heuristics 6

Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x07 bytes found

Disassembly

Attempted x86 opcode disassembly

0000655A  07                pop es
0000655B  07                pop es
0000655C  07                pop es
0000655D  07                pop es
0000655E  07                pop es
0000655F  07                pop es
00006560  07                pop es
00006561  07                pop es
00006562  07                pop es
00006563  07                pop es
00006564  07                pop es
00006565  07                pop es
00006566  07                pop es
00006567  07                pop es
00006568  07                pop es
00006569  07                pop es
0000656A  07                pop es
0000656B  07                pop es
0000656C  07                pop es
0000656D  07                pop es
0000656E  07                pop es
0000656F  07                pop es
00006570  07                pop es
00006571  07                pop es
00006572  07                pop es
00006573  07                pop es
00006574  07                pop es
00006575  07                pop es
00006576  07                pop es
00006577  07                pop es
00006578  07                pop es
00006579  07                pop es
0000657A  07                pop es
0000657B  07                pop es
0000657C  07                pop es
0000657D  07                pop es
0000657E  07                pop es
0000657F  07                pop es
00006580  07                pop es
00006581  07                pop es
00006582  07                pop es
00006583  07                pop es
00006584  07                pop es
00006585  07                pop es
00006586  07                pop es
00006587  07                pop es
00006588  07                pop es
00006589  07                pop es
0000658A  07                pop es
0000658B  07                pop es
0000658C  07                pop es
0000658D  07                pop es
0000658E  07                pop es
0000658F  07                pop es
00006590  07                pop es
00006591  07                pop es
00006592  07                pop es
00006593  07                pop es
00006594  07                pop es
00006595  07                pop es
00006596  07                pop es
00006597  07                pop es
00006598  07                pop es
00006599  07                pop es
0000659A  07                pop es
0000659B  07                pop es
0000659C  07                pop es
0000659D  07                pop es
0000659E  07                pop es
0000659F  07                pop es
000065A0  07                pop es
000065A1  07                pop es
000065A2  07                pop es
000065A3  07                pop es
000065A4  07                pop es
000065A5  07                pop es
000065A6  07                pop es
000065A7  07                pop es
000065A8  07                pop es
000065A9  07                pop es
000065AA  07                pop es
000065AB  07                pop es
000065AC  07                pop es
000065AD  07                pop es
000065AE  07                pop es
000065AF  07                pop es
000065B0  07                pop es
000065B1  07                pop es
000065B2  07                pop es
000065B3  07                pop es
000065B4  07                pop es
000065B5  07                pop es
000065B6  07                pop es
000065B7  07                pop es
000065B8  07                pop es
000065B9  07                pop es

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 53,692 bytes but its declared streams total only 0 bytes — 53,692 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_off00005a44.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x5A44	53692 bytes
SHA-256: `aacd93b653d3b01561fbc6f2f1edb613e0159565ee259fc601c3b7ae40550ca8`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x07

Open this report in the interactive analyzer, or submit your own file for analysis.