Office (OLE) / .PPS malware analysis — malicious · 2156e7f3fb5a9c06

MALICIOUS

Office (OLE) / .PPS

404.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 53d194cf4b29dd3f655330f45ce81e13 SHA-1: 3b5a47b30a321f802978a991f85df0c991903cd2 SHA-256: 2156e7f3fb5a9c06b8158fe8df2efa8d45c3437e0d26d1f61e3ab55effc24b87

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is a PowerPoint slideshow (PPS) file that contains an embedded Portable Executable (PE) file. Heuristics indicate the presence of API hashing and LoadLibrary/GetProcAddress calls, suggesting the embedded executable is designed to dynamically load malicious functions. The embedded PE file is the primary indicator of malicious intent, likely serving as a downloader or initial payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000366e.exe` `f5cf977054bb3b84210616841919586a7fd3a8cf992b8bb8caf65611deaf0830`	embedded-pe	Office MZ+PE at offset 0x366E	399762 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.