Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1da5d3c000bea960…

MALICIOUS

Office (OLE)

279.2 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint
MD5: 65de386d1cc1bc586a087bd8e0c4ea7b SHA-1: 1ce6595ce1179f312a893f4676bb87fedd0233ee SHA-256: 1da5d3c000bea960016f41f875fa1edc206682eb73e6900f3693a87896c84d7f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is a Microsoft PowerPoint document exhibiting a large slack space anomaly and a NOP sled, indicating potential shellcode execution. The document body is heavily obfuscated and truncated, preventing a clear understanding of its intended lure. However, the presence of these indicators strongly suggests an exploit targeting the PowerPoint application itself.

Heuristics 2

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 285,902 bytes but its declared streams total only 18,081 bytes — 267,821 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.