Office (OLE) / .PPS malware analysis — malicious · 3a53bd70b559161d

MALICIOUS

Office (OLE) / .PPS

244.7 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 13bd1de355d86a355fd7702582e45de6 SHA-1: 53baea996be41bd888d3568c1b78b070957c5022 SHA-256: 3a53bd70b559161dbcae19e856c76499d0289a63098c509b192d16596b7c9e38

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The sample is a PowerPoint file containing an embedded PE executable. Heuristics indicate the use of PEB access and API hash resolution, common techniques for evasion. The presence of WinExec and XOR-encoded strings suggests the execution of malicious code. The embedded executable is the primary payload, likely intended to be run by the user.

Heuristics 5

XOR-encoded strings (key 0xDB) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xDB: 'iphlpapi.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'WSAStartup', 'CreateThread', 'RegOpenKeyExA'
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000367e.exe` `74a96231bb23150c6456a2a197c1b4da69514270efc035ee48fff7c8eac0b543`	embedded-pe	Office MZ+PE at offset 0x367E	236642 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.