Office (OLE) / .PP malware analysis — malicious · 34c96429f2cde7f0

MALICIOUS

Office (OLE) / .PP

418.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 77ab5d8c331cab967ceb127f77880f43 SHA-1: 2ef04cac18db1164cb20cf0f2682f21383d61db3 SHA-256: 34c96429f2cde7f02b14c3e11cdc1eeea94871e444c91fa246e141f68403a221

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The sample is a PowerPoint file exhibiting several high and critical heuristic firings, including XOR-encoded strings and a NOP sled. The large amount of slack space in the OLE structure also suggests the presence of hidden or obfuscated content. The XOR encoding with key 0x8B is a strong indicator of malicious intent, likely to hide a payload or deobfuscation routine. Without further script analysis, the exact payload delivery mechanism remains unclear, but the obfuscation points towards a downloader or dropper.

Heuristics 3

XOR-encoded strings (key 0x8B) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x8B: 'LoadLibraryW', 'LoadLibraryW', 'LoadLibraryExA', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 428,548 bytes but its declared streams total only 18,081 bytes — 410,467 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.