Malicious Office (OLE) / .J — malware analysis report

Static analysis result for SHA-256 3f46e61c3daead73…

MALICIOUS

Office (OLE) / .J

43.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 9f1978bf313f731d241ce1286dabf38a SHA-1: ec052128abfd6b4277c7a51e42ed5d785a57e23a SHA-256: 3f46e61c3daead7370734da75ceebfb28be7a584b05037cf5a9d8073ecdd8454
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious PowerPoint file identified by ClamAV as Win.Trojan.Agent-67838. It contains an embedded PE executable, indicating a likely dropper or downloader functionality. The presence of API calls such as CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, LoadLibrary, and GetProcAddress suggests the embedded executable is designed to load and execute malicious code, potentially in memory or by injecting into other processes.

Heuristics 9

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-67838 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-67838
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002a72.exe
78f007b1a5388ea4407edb81aa7fd04daf3b27ae36189bef378497080f5cb8d6		 embedded-pe Office MZ+PE at offset 0x2A72 33166 bytes
Detection
ClamAV: Win.Trojan.Agent-67838
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.