Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 17f8f5a879b5be2b…

MALICIOUS

Office (OLE) / .PPT

213.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: b51ddfc6f93e4a39ef2d7c33cdbecb73 SHA-1: 0f5fa8f393fd1b4afb3a19358bcc064ae74d3008 SHA-256: 17f8f5a879b5be2b7908f202a6982cf51c340e648e2b215e5ee46edba40677be
410 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious PowerPoint file that contains raw shellcode and exhibits characteristics of known exploits like CVE-2006-0022. It utilizes a PEB API-hash resolver and XOR-encoded strings, indicating a sophisticated payload. Although the VBA macros themselves contain no executable statements, the embedded OLE object and appended payload strongly suggest the execution of a secondary stage.

Heuristics 11

  • PowerPoint malformed picture-record payload — CVE-2006-0022 related high CVE related PPT_CVE_2006_0022_RELATED
    PowerPoint OLE file has a large Pictures stream with image-record material and MZ-like payload bytes, while the PowerPoint Document stream contains compact PEB/API-resolver shellcode. This is related to the CVE-2006-0022 malformed picture-record exploit family, but the static evidence is not specific enough for an exact CVE match.
  • XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.olympic.org

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
4ed1f422dab9fb18a3ffaa913611bd4004b0a8a3a4ce8f161362d1de24033dfe		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 296 bytes
embedded_office_off0000f000.ole
052c6980f1a6c98e3fcf5a8264c77be09d003bb1718cef81f9fdb20559ce3de1		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xF000 156672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.