Office (OLE) / .PPT malware analysis — malicious · 12ee357163ee9c8f

MALICIOUS

Office (OLE) / .PPT

40.9 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 6628244e30cd94b039e3eaace9ab0251 SHA-1: c8415e59b5b7b20aeb961b9ce4b56ea73d94e956 SHA-256: 12ee357163ee9c8f96faf0eea9e0c7557f50719d3e9dc5ad3c24c6aa4cebfac5

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

The sample is a malicious PowerPoint file containing XOR-encoded strings and raw shellcode. The heuristics indicate the presence of a PEB API-hash resolver and PEB access, suggesting an attempt to dynamically resolve API functions to evade detection. The XOR encoding with key 0x49 is a common obfuscation technique used to hide malicious payloads. The file likely attempts to download and execute a second-stage payload.

Heuristics 4

XOR-encoded strings (key 0x49) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x49: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'CreateProcessA', 'ExitProcess', 'ExitProcess'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD

Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.