Office (OLE) / .PPT malware analysis — malicious · 344f001c535fec35

MALICIOUS

Office (OLE) / .PPT

618.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 0735d4a781f93f438458d4cf7ee9dba7 SHA-1: 8aa615f12caae5833dc4b51ccbd03a45f482eb3b SHA-256: 344f001c535fec3568a5e07e81f0f4e80bd26ec5789d14fe4f8c3145ca0c6568

162 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV as Win.Trojan.Exploit-110. Static analysis reveals references to LoadLibrary and GetProcAddress APIs, indicating the potential for dynamic code loading and execution. The presence of a NOP sled further suggests shellcode or exploit activity. While no specific VBA macros were extracted, the file type and heuristic firings point towards an exploit targeting the PowerPoint application, likely to download and execute a secondary payload.

Heuristics 5

ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Exploit-110
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.