Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 3aeb6655aed3018d…

MALICIOUS

Office (OLE) / .PPT

2.42 MB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 9597ddc17de983a900f5462807ec7820 SHA-1: 508523ad38160b9a6269e70ee19a9ebd20d8e737 SHA-256: 3aeb6655aed3018d228c38e7fafdadaefcd462ce33979f875441681bd9c23a9d
364 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1027 Obfuscated Files or Information T1059.001 PowerShell

The sample is a malicious PowerPoint file that exploits CVE-2006-3877 to deliver an embedded executable. Heuristics indicate the use of VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress APIs, along with XOR-encoded strings, suggesting a downloader or dropper functionality. The embedded PE executable is the primary payload. Although VBA extraction failed, the presence of an embedded executable and the specific CVE exploit strongly indicate a malicious intent to execute arbitrary code.

Heuristics 9

  • CVE-2006-3877 — PowerPoint malformed record payload critical CVE likely CVE_2006_3877
    PowerPoint OLE file declares a malformed large numbered Table stream that cannot be read through the CFB chain, while the carved stream bytes contain a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit family fixed as CVE-2006-3877.
  • XOR-encoded strings (key 0x8A) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x8A: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.VB-751 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.VB-751
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000766f.exe
673524d0426af3901f053aa16b8cbcb3807d5bd5a6a1e5000422f29c372c57cf		 embedded-pe Office MZ+PE at offset 0x766F 2509201 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.