MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a PowerPoint slideshow (PPS) file that contains a large amount of slack space and an embedded Portable Executable (PE) file. The embedded PE executable, named 'embedded_office_00003067.exe', is the primary indicator of malicious intent. The presence of this executable suggests the slideshow is a lure to deliver malware. No document body text or scripts were extracted, limiting further analysis of the delivery pretext.
Heuristics 4
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 3,607,655 bytes but its declared streams total only 208,609 bytes — 3,399,046 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x43 bytes
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00003067.exee37050ba87524e3ec558a36808990ea5a011ecd61cdb344b5946592d532d251a |
embedded-pe | Office MZ+PE at offset 0x3067 | 3595264 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.