Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3c8d09df6ef1bec7…

MALICIOUS

Office (OLE)

135.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2026-06-16
MD5: 466d608e32e756deaa88a775304f137d SHA-1: be7c57adf4e164f90931ec81c04054522a3a3197 SHA-256: 3c8d09df6ef1bec707beb436f05f774b9215f43cefe82c2e79d40e34077c481a
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious PowerPoint file that exploits CVE-2011-1269 / MS11-036, a known vulnerability for remote code execution. It contains raw shellcode and utilizes PEB access and API hash resolution techniques, indicating it's designed to execute a payload. The XOR-encoded strings suggest obfuscation to evade detection. No specific family could be identified, and no external IOCs were extracted.

Heuristics 5

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • XOR-encoded strings (key 0x49) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x49: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'CreateProcessA', 'ExitProcess', 'ExitProcess'
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'dec' is 90% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.969) — 10/10 branch targets land on an instruction boundary (100% coherence)
    00002808  64a130000000      mov eax, dword ptr fs:[0x30]
0000280E  8b400c            mov eax, dword ptr [eax + 0xc]
00002811  8b701c            mov esi, dword ptr [eax + 0x1c]
00002814  ad                lodsd eax, dword ptr [esi]
00002815  8b4008            mov eax, dword ptr [eax + 8]
00002818  5e                pop esi
00002819  c3                ret
0000281A  60                pushal
0000281B  8b6c2424          mov ebp, dword ptr [esp + 0x24]
0000281F  8b453c            mov eax, dword ptr [ebp + 0x3c]
00002822  8b542878          mov edx, dword ptr [eax + ebp + 0x78]
00002826  03d5              add edx, ebp
00002828  8b4a18            mov ecx, dword ptr [edx + 0x18]
0000282B  8b5a20            mov ebx, dword ptr [edx + 0x20]
0000282E  03dd              add ebx, ebp
00002830  e334              jecxz 0x2866
00002832  49                dec ecx
00002833  8b348b            mov esi, dword ptr [ebx + ecx*4]
00002836  03f5              add esi, ebp
00002838  33ff              xor edi, edi
0000283A  33c0              xor eax, eax
0000283C  fc                cld
0000283D  ac                lodsb al, byte ptr [esi]
0000283E  84c0              test al, al
00002840  7407              je 0x2849
00002842  c1cf0d            ror edi, 0xd
00002845  03f8              add edi, eax
00002847  ebf4              jmp 0x283d
00002849  3b7c2428          cmp edi, dword ptr [esp + 0x28]
0000284D  75e1              jne 0x2830
0000284F  8b5a24            mov ebx, dword ptr [edx + 0x24]
00002852  03dd              add ebx, ebp
00002854  668b0c4b          mov cx, word ptr [ebx + ecx*2]
00002858  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
0000285B  03dd              add ebx, ebp
0000285D  8b048b            mov eax, dword ptr [ebx + ecx*4]
00002860  03c5              add eax, ebp
00002862  8944241c          mov dword ptr [esp + 0x1c], eax
00002866  61                popal
00002867  c2                .byte 0xc2
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: code (0.969) — 10/10 branch targets land on an instruction boundary (100% coherence)
    00002808  64a130000000      mov eax, dword ptr fs:[0x30]
0000280E  8b400c            mov eax, dword ptr [eax + 0xc]
00002811  8b701c            mov esi, dword ptr [eax + 0x1c]
00002814  ad                lodsd eax, dword ptr [esi]
00002815  8b4008            mov eax, dword ptr [eax + 8]
00002818  5e                pop esi
00002819  c3                ret
0000281A  60                pushal
0000281B  8b6c2424          mov ebp, dword ptr [esp + 0x24]
0000281F  8b453c            mov eax, dword ptr [ebp + 0x3c]
00002822  8b542878          mov edx, dword ptr [eax + ebp + 0x78]
00002826  03d5              add edx, ebp
00002828  8b4a18            mov ecx, dword ptr [edx + 0x18]
0000282B  8b5a20            mov ebx, dword ptr [edx + 0x20]
0000282E  03dd              add ebx, ebp
00002830  e334              jecxz 0x2866
00002832  49                dec ecx
00002833  8b348b            mov esi, dword ptr [ebx + ecx*4]
00002836  03f5              add esi, ebp
00002838  33ff              xor edi, edi
0000283A  33c0              xor eax, eax
0000283C  fc                cld
0000283D  ac                lodsb al, byte ptr [esi]
0000283E  84c0              test al, al
00002840  7407              je 0x2849
00002842  c1cf0d            ror edi, 0xd
00002845  03f8              add edi, eax
00002847  ebf4              jmp 0x283d
00002849  3b7c2428          cmp edi, dword ptr [esp + 0x28]
0000284D  75e1              jne 0x2830
0000284F  8b5a24            mov ebx, dword ptr [edx + 0x24]
00002852  03dd              add ebx, ebp
00002854  668b0c4b          mov cx, word ptr [ebx + ecx*2]
00002858  8b5a1c            mov ebx, dword ptr [edx + 0x1c]
0000285B  03dd              add ebx, ebp
0000285D  8b048b            mov eax, dword ptr [ebx + ecx*4]
00002860  03c5              add eax, ebp
00002862  8944241c          mov dword ptr [esp + 0x1c], eax
00002866  61                popal
00002867  c2                .byte 0xc2
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.