Win.Worm.Kido-217 — Office (OLE) / .PPT malware analysis

Static analysis result for SHA-256 182311e3a97bc1e9…

MALICIOUS

Office (OLE) / .PPT

545.8 KB Created: 2010-05-30 15:16:08 Authoring application: Microsoft PowerPoint
MD5: 39bdd6f6fcad5190688850aa1f3f01e8 SHA-1: cad30eca70b334bebaad3dea4aa2c3e90bce3c83 SHA-256: 182311e3a97bc1e94b1f632a729ae8e89d1c6f896cde9774c9f6adfcb6bd1b10
302 Risk Score

Malware Insights

Win.Worm.Kido-217 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a PowerPoint file identified as malicious by ClamAV (Win.Worm.Kido-217). It contains an embedded PE executable, indicating an attempt to deliver a secondary payload. Heuristics indicate the use of APIs like VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, commonly used by malware to load and execute code. The embedded executable is the primary IOC.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Worm.Kido-217 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Kido-217
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0005f800.exe
9b091aa4d3aa8e5d7ab513720e2ac179e09556c0361cd4976d5607010addfe44		 embedded-pe Office MZ+PE at offset 0x5F800 167765 bytes
Detection
ClamAV: Win.Worm.Kido-217
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.