Office (OLE) / .PPT malware analysis — malicious · 3780f961794338af

MALICIOUS

Office (OLE) / .PPT

123.0 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 638a0d4a0d28fd51b88fc21ea4921eda SHA-1: b6bd5be15a8a4dad471dc8c64dd75fc37850718f SHA-256: 3780f961794338af0d2280db6608dcf0edc0575edfdd242341291c2b52be6c95

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious PowerPoint file exhibiting characteristics of a malicious document, including a NOP sled and XOR-encoded strings. The XOR key 0xCC was identified, suggesting a potential obfuscation technique used to hide malicious code or payloads. The large amount of slack space in the OLE structure is also anomalous. Without a document body or script content, the exact attack pattern is unclear, but it is likely a downloader or dropper.

Heuristics 3

XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 125,956 bytes but its declared streams total only 18,081 bytes — 107,875 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.