Office (OLE) / .TMP malware analysis — malicious · b6b4b0a2ae322302

MALICIOUS

Office (OLE) / .TMP

273.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 316408b936b480ae9183430b760f4ecd SHA-1: 6e3ded6f5f82db7cb2486b9089a16dc7a595575c SHA-256: b6b4b0a2ae3223026c1904e53cbd32cca71ecca294a5f5deb120b6d09841d2aa

100 Risk Score

Malware Insights

The sample is an OLE document with a large amount of slack space, indicating potential obfuscation or embedded malicious content. A critical heuristic identified XOR-encoded strings with a key of 0xC2, suggesting an attempt to hide malicious code or data. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or attack vector. The confidence is lowered due to the lack of specific payload details.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 279,556 bytes but its declared streams total only 16,543 bytes — 263,013 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.