Office (OLE) / .TMP malware analysis — malicious · ac4ec68c816eda1c

MALICIOUS

Office (OLE) / .TMP

52.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 492a76071c9be654a821f322752fdb4a SHA-1: 5c4b80cbc44e66ce52e29c54901d62f8ac976c0f SHA-256: ac4ec68c816eda1ca0e1c8671056782a3d9d4fedb2de48c3f6ec4c9bb5aaf82a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample is an OLE document with a high degree of slack space, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub further suggests the execution of non-standard code. While no specific payload or delivery mechanism is directly evident from the limited heuristics and lack of document body or script content, these indicators strongly suggest a malicious intent, likely for payload delivery.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 54,154 bytes but its declared streams total only 24,565 bytes — 29,589 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.