Office (OLE) / .TMP malware analysis — malicious · ca3fabcf8123a6af

MALICIOUS

Office (OLE) / .TMP

155.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 0238a0f8cb102bb12f0c748b625400d4 SHA-1: a8712c023f3e5bb1e0b7971787085bef7f4e5db0 SHA-256: ca3fabcf8123a6af5f6247fe4a2906da3ae4891ad677fc79b4feac1ec26cc716

200 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly and critically contains an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely unpacked or loaded dynamically. The presence of an embedded executable strongly indicates a dropper or downloader functionality, aiming to execute a secondary payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 159,492 bytes but its declared streams total only 94,801 bytes — 64,691 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0001c800.exe` `25fc2cf9f30633519874c71982102298c4090b085609008c213a348bfa9dc50f`	embedded-pe	Office MZ+PE at offset 0x1C800	42756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.