Office (OLE) / .TMP malware analysis — malicious · ce8b71ebd203ca28

MALICIOUS

Office (OLE) / .TMP

246.0 KB Created: 2008-07-11 06:57:00 Authoring application: Microsoft Office Word

MD5: 3d00511460717735b1c8959410ac2c52 SHA-1: 73cb10dce75470f0a1452fb524dcd3ce8fab0f7b SHA-256: ce8b71ebd203ca28ba0d4b0792dbcf56ea940862da40513d44f6d5332334d5e4

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly (93%), which is a strong indicator of malicious intent, potentially as a container for exploits or further payloads. The presence of a NOP-equivalent sled and a GetPC stub further supports this assessment. No document body or scripts were extracted, limiting the ability to determine the specific attack vector or family.

Heuristics 3

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 251,913 bytes but its declared streams total only 16,543 bytes — 235,370 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.