Office (OLE) / .PPT malware analysis — malicious · 0e63b33bcfacb718

MALICIOUS

Office (OLE) / .PPT

83.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 74035f773e5c70e0aa158173c73d1be4 SHA-1: 7d1d2464c89f7280c200b0734c7087d4b761140a SHA-256: 0e63b33bcfacb7183c361cbc15f19a68aab8316db06b2a50eb2e73c1edb26e96

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is a Microsoft PowerPoint document exhibiting several high and critical heuristic warnings, including the detection of a NOP sled, XOR-encoded strings, and significant slack space within the OLE structure. These indicators suggest the presence of obfuscated malicious code designed to exploit a vulnerability within the PowerPoint application itself. The lack of readable document body text or extracted scripts prevents a more detailed analysis of the payload or specific exploit.

Heuristics 3

XOR-encoded strings (key 0x7C) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x7C: 'ADVAPI32.DLL'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 85,508 bytes but its declared streams total only 18,081 bytes — 67,427 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.