Office (OLE) / .TMP malware analysis — malicious · b9940ba00d474288

MALICIOUS

Office (OLE) / .TMP

109.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 4beba09a6a6ad87ca42e9eaf66c626a9 SHA-1: 4239a3c442bd56f200708ac6523abbb59202e7d0 SHA-256: b9940ba00d474288fb48e0c5f1cfed838ab97534b0443da26d44ccf881cb9066

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1059 Command and Scripting Interpreter

The sample is an OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded content. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the execution of external code or dynamic loading of functions. The document body presents itself as an application form, likely a lure to encourage the user to interact with the malicious content. No scripts were extracted, and the family is unknown.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 111,616 bytes but its declared streams total only 21,308 bytes — 90,308 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.