Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 14ab351c7fb8bf11…

MALICIOUS

Office (OLE)

309.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 4da85e7eb246e8392100729c03d7d196 SHA-1: e257b4fe0374a365f121ed1ec135a17543e472fc SHA-256: 14ab351c7fb8bf11014a91cf9685e6f779394d200ab3d8035ef030dfe806b139
340 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1203 Exploitation for Client Execution

The file is a malicious PowerPoint document exhibiting several high-severity heuristics related to shellcode execution and appended payloads. The presence of XOR-encoded strings and PEB access suggests an attempt to obfuscate and execute malicious code. The embedded OLE object, with its own suspicious static findings, is likely responsible for delivering the final payload.

Heuristics 8

  • XOR-encoded strings (key 0x0F) critical SC_XOR_ENCODED
    Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x0F: 'LoadLibraryA', 'GetProcAddress', 'CreateProcessW', 'ExitProcess', 'CreateFileW', 'InternetOpenA', 'InternetOpenUrlA'
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 279,200 bytes but its declared streams total only 36,895 bytes — 242,305 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00009360.ole
f558353e3b09274a7afce290fd586181029c8b766ad9e4b908daa6ead00dc313		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x9360 279200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.