Office (OLE) / .TMP malware analysis — malicious · ab0ca9c5a518b6c2

MALICIOUS

Office (OLE) / .TMP

95.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: e29c181d075c97a7d6a362960ad629a7 SHA-1: 91046a28d3a3747dc0a30e76a1170b24b35a5dfe SHA-256: ab0ca9c5a518b6c203affaa548a086573de40f1c6027238522601a786d11f78c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The OLE document exhibits a significant slack space anomaly, which is often indicative of packing or obfuscation techniques used to hide malicious code. References to LoadLibrary and GetProcAddress APIs further suggest dynamic loading of functions, a common tactic in malware. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, leading to a lower confidence in family attribution.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 97,792 bytes but its declared streams total only 24,565 bytes — 73,227 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.