Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 4057d33a530dba97…

MALICIOUS

Office (OLE) / .PPS

1.19 MB Created: 2007-02-06 22:15:46 Authoring application: Microsoft PowerPoint
MD5: be63ebb333f6a136cffb8e2d1de23e9b SHA-1: 7b3e1b8619c6bdc084fb0f15ec53ba34810d0784 SHA-256: 4057d33a530dba9756712ba6cd6f8a758a5589d7fb82900e731a6f23dcc8a2e6
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The sample is a PowerPoint presentation (PPS) that contains a large slack space anomaly and an embedded PE executable. The document body text is a religious prayer promising financial blessings if forwarded, acting as a social engineering lure. The embedded executable, named 'embedded_office_00076800.exe', is the primary malicious component, likely delivered via a spearphishing attachment. The presence of the embedded executable and the social engineering lure strongly indicate a malicious intent, likely to deliver a second-stage payload.

Heuristics 5

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,249,371 bytes but its declared streams total only 472,811 bytes — 776,560 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00076800.exe
d5bac4beac3480cb71025edf00f50e9de0803d39ba6b87d5c00340294452f29e		 embedded-pe Office MZ+PE at offset 0x76800 763995 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.