Office (OLE) / .PPT malware analysis — malicious · 36fffd0467ee109e

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 1650831d3afd313cc0c7e3e6d22d7e84 SHA-1: 1841b948ed75b64b9be17daa1a121299e598966b SHA-256: 36fffd0467ee109ebb58598f22a151788f52f1c48eecf9764110616b44628026

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample exhibits high-confidence heuristic firings indicating the use of PEB access and API hash resolution, common techniques for obfuscating API calls. It also references WinExec and CreateProcess, suggesting an intent to execute further code. The presence of an embedded URL, although benign according to reputation, is noted. No scripts were extracted from this sample, limiting the ability to determine the exact payload or execution flow.

Heuristics 6

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.