Malicious Office (OLE) / .TMP — malware analysis report

Static analysis result for SHA-256 fd7ba91069cfa81d…

MALICIOUS

Office (OLE) / .TMP

141.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 8a943c2cda65e64bf507d868c92373f5 SHA-1: 13a21910806212f03b971869e9a4ba5655754f80 SHA-256: fd7ba91069cfa81d09e4a1623dd9e450ec9dc5514f616609aa883827f56efa5b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The SC_XOR_ENCODED heuristic firing suggests that strings within the file are XOR-encoded with a key of 0xFC, a common technique to hide malicious code or URLs. While no specific payload or delivery mechanism is directly evident from the limited document body, the combination of these factors strongly suggests a malicious intent, likely involving the execution of obfuscated code.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'RegOpenKeyExA', 'ShellExecuteA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 144,896 bytes but its declared streams total only 15,628 bytes — 129,268 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.