Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 122f5b98fb2dee8c…

MALICIOUS

Office (OLE)

367.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2026-06-13
MD5: 0750872caa0b17323656ea42537b6179 SHA-1: 380d195966da7729d82a9f88b9d86f8c8e813ac0 SHA-256: 122f5b98fb2dee8cd684c7cfd4fa4688dcb50a33f5ab3f2761906f0e1098e26f
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

The sample is a malicious PowerPoint file identified as exploiting the CVE-2011-1269 / MS11-036 vulnerability. It contains XOR-encoded strings and references to the CreateProcess API, indicating it attempts to execute a second-stage payload. The document body contains placeholder text and does not provide further context on the specific lure.

Heuristics 4

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE related PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • XOR-encoded strings (key 0x73) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x73: 'RegOpenKeyExA'
    Disassembly
    Attempted x86 opcode disassembly
    000035FA  2116              and dword ptr [esi], edx
000035FC  143c              adc al, 0x3c
000035FE  0316              add edx, dword ptr [esi]
00003600  1d38160a36        sbb eax, 0x360a1638
00003605  0b32              or esi, dword ptr [edx]
00003607  7321              jae 0x362a
00003609  16                push ss
0000360A  1437              adc al, 0x37
0000360C  16                push ss
0000360D  1f                pop ds
0000360E  16                push ss
0000360F  07                pop es
00003610  16                push ss
00003611  3816              cmp byte ptr [esi], dl
00003613  0a32              or dh, byte ptr [edx]
00003615  7321              jae 0x3638
00003617  16                push ss
00003618  1430              adc al, 0x30
0000361A  1f                pop ds
0000361B  1c00              sbb al, 0
0000361D  16                push ss
0000361E  3816              cmp byte ptr [esi], dl
00003620  0a7320            or dh, byte ptr [ebx + 0x20]
00003623  1c15              sbb al, 0x15
00003625  07                pop es
00003626  0412              add al, 0x12
00003628  0116              add dword ptr [esi], edx
0000362A  2f                das
0000362B  3e1a10            sbb dl, byte ptr ds:[eax]
0000362E  011c00            add dword ptr [eax + eax], ebx
00003631  1c15              sbb al, 0x15
00003633  07                pop es
00003634  2f                das
00003635  3c15              cmp al, 0x15
00003637  151a10162f        adc eax, 0x2f16101a
0000363C  42                inc edx
0000363D  42                inc edx
0000363E  5d                pop ebp
0000363F  43                inc ebx
00003640  2f                das
00003641  231c04            and ebx, dword ptr [esp + eax]
00003644  16                push ss
00003645  0123              add dword ptr [ebx], esp
00003647  1c1a              sbb al, 0x1a
00003649  1d072f2116        sbb eax, 0x16212f07
0000364E  001a              add byte ptr [edx], bl
00003650  1f                pop ds
00003651  1a16              sbb dl, byte ptr [esi]
00003653  1d100a7320        sbb eax, 0x20730a10
00003658  07                pop es
00003659  12                .byte 0x12
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.