Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 1d96fc23974eb1ee…

MALICIOUS

Office (OLE) / .PPT

683.5 KB Created: 2002-08-22 17:01:28 Authoring application: Microsoft PowerPoint
MD5: ac997cd092824e3bfaa852ffcf6ff1b3 SHA-1: c73755528ba44eb1be685d92e18c1e05e3db3aac SHA-256: 1d96fc23974eb1ee16d0ecdfc82f221132800962abea907f5cf98f49b94a9a98
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution T1071 Application Layer Protocol

The file is detected as Win.Trojan.Agent-40906. Heuristics indicate suspicious use of CreateProcess, cmd.exe, LoadLibrary, and GetProcAddress APIs, suggesting the execution of malicious code. The document body contains a chain message designed to encourage forwarding, which is a common social engineering tactic. While no specific script was extracted, the API calls strongly suggest the malware attempts to download and execute a second-stage payload.

Heuristics 5

  • ClamAV: Win.Trojan.Agent-40906 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-40906
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Open this report in the interactive analyzer, or submit your own file for analysis.