Office (OLE) / .TMP malware analysis — malicious · f20c48ad3bce5def

MALICIOUS

Office (OLE) / .TMP

95.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: ed208886b60a344b6295a24ee7992576 SHA-1: 736ded2d406ce91f54ce7467889777b497063e2b SHA-256: f20c48ad3bce5def2fd90690d9c14c86b35b2012e27c773fdabfe3ffb910ced8

120 Risk Score

Malware Insights

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, common for loading and executing dynamic link libraries (DLLs). While no specific document body or script content was extracted, the API calls suggest a downloader or loader functionality. The file type and API usage point towards a malicious macro-enabled document, likely attempting to fetch and run a second-stage payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 97,796 bytes but its declared streams total only 24,565 bytes — 73,231 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.