Office (OLE) / .PPT malware analysis — malicious · 1dffc82793413a25

MALICIOUS

Office (OLE) / .PPT

292.0 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: cc53da7b22a6504b85e296998b09cd7f SHA-1: f98c8f0c059072e7aac0c24237af48b2f1cd8b91 SHA-256: 1dffc82793413a25b0f37aca639cbde13e8619801f3ca7dc251a7e67b4788834

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

Static analysis detected several high-severity heuristics, including a NOP sled and XOR-encoded strings with a key of 0x31. The large slack space in the OLE structure is also anomalous. These indicators suggest the file contains obfuscated malicious code, likely intended to download and execute a secondary payload. The specific attack pattern is inferred from the nature of these obfuscation techniques commonly used in malware delivery.

Heuristics 3

XOR-encoded strings (key 0x31) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x31: 'ADVAPI32.DLL'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 299,012 bytes but its declared streams total only 18,081 bytes — 280,931 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.