Malicious Office (OLE) / .TMP — malware analysis report

Static analysis result for SHA-256 bc51939ca3a8b10d…

MALICIOUS

Office (OLE) / .TMP

124.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 3a0492f95f929b9318c679bcd95ae30d SHA-1: 029503523fd435129c340decfeebb03371624a36 SHA-256: bc51939ca3a8b10d352e2b96583409dd8a5d3f4ba62ac5e7c47a3c7f8b2a2b66
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The sample is an OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of VirtualProtect, LoadLibrary, and GetProcAddress APIs, suggesting the loading and execution of shellcode. While no specific script was extracted, these API calls strongly imply the document is designed to download and execute a second-stage payload. The embedded URLs, though many are confirmed benign, include a few with unknown reputation that could be related to the malicious activity.

Heuristics 5

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 127,904 bytes but its declared streams total only 21,151 bytes — 106,753 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.hrwf.net/north_korea/NK_EU.html
    • http://www.hrwf.net
    • http://www.eias.org/publications/briefing/2003/eudprkstandstill.pdf
    • http://ec.europa.eu/external_relations/north_korea/csp/01_04_en.pdf
    • http://ec.europa.eu/external_relations/north_korea/intro/index.htm
    • http://www.unhchr.ch/Huridocda/Huridoca.nsf/(Symbol)/E.CN.4.RES.2003.10.En?Opendocument
    • http://ec.europa.eu/external_relations/human_rights/doc/index.htm
    • http://www.europarl.europa.eu/pv2/pv2?PRG=DOCPV&APP=PV2&DATE=230399&DATEF=990323&TPV=DEF&TYPEF=TITRE&POS=1&SDOCTA=11&TXTLST=2&Type_Doc=RESOL&PrgPrev=PRG@TITRE%7CAPP@PV2%7CTYPEF@TITRE%7CYEAR@99%7CFind@korea%7CFILE@BIBLIO99%7CPLAGE@1&LANGUE=EN
    • http://www.europarl.europa.eu/meetdocs/2004_2009/organes/dkor/dkor_meetinglist.htm
    • http://www.europarl.europa.eu/pv2/pv2?PRG=DOCPV&APP=PV2&LANGUE=EN&SDOCTA=11&TXTLST=2&POS=1&Type_Doc=RESOL&TPV=DEF&DATE=230399&PrgPrev=PRG@TITRE%7CAPP@PV2%7CTYPEF@TITRE%7CYEAR@99%7CFind@korea%7CFILE@BIBLIO99%7CPLAGE@1&TYPEF=TITRE&NUMB=2&DATEF=990323
    • http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P5-TA-2001-0307+0+DOC+XML+V0//EN&language=EN
    • http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P5-TA-2003-0023+0+DOC+XML+V0//EN&language=EN
    • http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2006-0280+0+DOC+XML+V0//EN&language=EN
    • http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2006-0357+0+DOC+XML+V0//EN&language=EN

Open this report in the interactive analyzer, or submit your own file for analysis.