Office (OLE) / .PPT malware analysis — malicious · 06567f3ffc258720

MALICIOUS

Office (OLE) / .PPT

2.12 MB Created: 2004-08-05 03:23:10 Authoring application: Microsoft Office PowerPoint

MD5: f3b35423bed71feac951807e0d5bd6c6 SHA-1: a69cdea8f45a3b6b293fc54e968b352676b98010 SHA-256: 06567f3ffc258720f03f14163831c44f888c40fec1bccc30fd0833739d5164a1

260 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file exhibits high-severity heuristic firings related to critical Windows API calls such as WinExec, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress. These indicate the sample is designed to load and execute code, likely a second-stage payload. The presence of Chinese text in the document body does not appear to be directly related to the malicious functionality, suggesting it might be a lure or unrelated content.

Heuristics 7

ClamAV: Win.Trojan.PcClient-54 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.PcClient-54
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.