Office (OLE) / .PPS malware analysis — malicious · 22514638bdf56165

MALICIOUS

Office (OLE) / .PPS

618.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 698e8900124ccc2c2e679206598d0cb9 SHA-1: 249a16052deded86a0aa25687f01f57c50956170 SHA-256: 22514638bdf56165f0450427b9d80effb078fcb1c8e3352b9ec7e35569948069

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection T1071.001 Web Protocols

The file is a malicious PowerPoint slideshow, identified by ClamAV as Win.Trojan.Exploit-110. High-severity heuristics indicate the presence of an API hash resolver and PEB access, suggesting the malware attempts to dynamically resolve API functions and potentially inject code. The reference to VirtualProtect, LoadLibrary, and GetProcAddress further supports the likelihood of code execution and loading of malicious payloads. The document body contains non-sensical text, indicating it is not intended for user interaction but rather as a lure for exploitation.

Heuristics 7

ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Exploit-110
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.