MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The file is a malicious PowerPoint document that contains an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely a shellcode payload designed to be loaded into memory. The embedded executable is identified as a critical finding, and the exploit CVE-2011-1269 / MS11-036 family further supports its malicious nature.
Heuristics 6
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.thawte.com0 In document text (OLE body)
- http://ts-ocsp.ws.symantec.com07In document text (OLE body)
- http://ocsp.verisign.com0In document text (OLE body)
- http://sc.symcd.com0&In document text (OLE body)
- http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
- http://crl.verisign.com/pca3.crl0In document text (OLE body)
- https://www.verisign.com/cps0In document text (OLE body)
- http://logo.verisign.com/vslogo.gif04In document text (OLE body)
- http://www.symauth.com/cps0(In document text (OLE body)
- http://www.symauth.com/rpa04In document text (OLE body)
- http://crl.verisign.com/pca3-g5.crl0In document text (OLE body)
- https://d.symcb.com/cps0%In document text (OLE body)
- https://d.symcb.com/rpa0+In document text (OLE body)
- http://sc.symcb.com/sc.crl0In document text (OLE body)
- http://sc.symcb.com/sc.crt0In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0001d000.exe |
embedded-pe | Office MZ+PE at offset 0x1D000 | 12800 bytes |
SHA-256: 5b72d5a065d91a46d833d0b91de7bc8c69a6e8da9f89d2ea606ceb03af4cad3a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.