Win.Trojan.Agent-40906 — Office (OLE) / .PPT malware analysis

Static analysis result for SHA-256 17a4c0b368cff2d5…

MALICIOUS

Office (OLE) / .PPT

1.46 MB Created: 2005-01-13 09:52:25 Authoring application: Microsoft PowerPoint
MD5: f64aeb3c11f0e4bfd4113f06d1ec8b57 SHA-1: 607e12a6f15fe42933de4e99b5779c5855392b53 SHA-256: 17a4c0b368cff2d579aae10fbe64cd358287453669be0fe7f61251d673cf3433
222 Risk Score

Malware Insights

Win.Trojan.Agent-40906 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample exhibits high-severity heuristics indicating the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, along with a suspicious cmd.exe invocation. ClamAV detection confirms it as Win.Trojan.Agent-40906. These indicators suggest the file is designed to execute a secondary payload, likely downloaded from one of the embedded URLs.

Heuristics 6

  • ClamAV: Win.Trojan.Agent-40906 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-40906
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.virtuallandmedia.com
    • http://www.webutilities.com
    • http://hjem.wanadoo.dk/~wan30952
    • http://www.mindworkshop.com
    • http://www.ulead.com
    • http://dreamartists.com/animated.htm
    • http://www.mindworkshop.com�

Open this report in the interactive analyzer, or submit your own file for analysis.