Office (OLE) / .TMP malware analysis — malicious · dc8f25a3b94104ea

MALICIOUS

Office (OLE) / .TMP

120.4 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 7db166a091c0d697e9af4ba7cdfb9208 SHA-1: 1535c797c568fcd4e6ca1d346e6edc353c925e8e SHA-256: dc8f25a3b94104ea6161281b52d31c7341ef6d1db2aab6c11074ccecf281e3b3

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The OLE file exhibits significant slack space and appended executable-looking payload bytes, indicating an attempt to hide malicious content. The file format is unsupported for VBA extraction, suggesting potential obfuscation or a legacy format. The appended payload bytes are a strong indicator of a downloader or dropper functionality.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 123,289 bytes but its declared streams total only 16,486 bytes — 106,803 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.