Office (OLE) / .TMP malware analysis — malicious · a8d7d7fbff0d6fd6

MALICIOUS

Office (OLE) / .TMP

120.0 KB Created: 2009-03-23 02:20:00 Authoring application: Microsoft Office Word

MD5: 7e7b1feb8fb07703f7ac9ebf98f3f0a3 SHA-1: e1998eb271f2553e52c60819a9e67d139a752f8c SHA-256: a8d7d7fbff0d6fd6c6bb3d88530b5a0db9c5d04d9a9fb863d114c08d527cfb4a

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating an attempt to conceal its true contents. Heuristics indicate the presence of XOR-encoded strings, a common obfuscation technique used to hide malicious code or URLs. The GetPC stub is often used in shellcode to locate its own position in memory. No document body or scripts were extracted, limiting further analysis.

Heuristics 3

XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'CreateProcessA', 'ExitProcess', 'CreateFileA'
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 122,881 bytes but its declared streams total only 20,639 bytes — 102,242 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.