Office (OLE) / .PPT malware analysis — malicious · 42a244723aedb4b3

MALICIOUS

Office (OLE) / .PPT

427.0 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 68f49c8ba78a7721d8f1629e06369150 SHA-1: f6b2703fe40dd1d41cd5b2af3b81ff421e2f0977 SHA-256: 42a244723aedb4b398064aeb3fac3b04b0718290f76c0bcdc8f3cde89dae296a

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is a PowerPoint file exhibiting several malicious characteristics, including a NOP sled and XOR-encoded strings with a key of 0xCC. The large amount of slack space in the OLE structure is also suspicious. While no specific document body content or scripts were clearly extracted, the heuristics strongly suggest the presence of obfuscated code, likely intended to download and execute a secondary payload. The XOR key '0xCC' is identified as a key indicator.

Heuristics 3

XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'CreateProcessA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 437,252 bytes but its declared streams total only 18,081 bytes — 419,171 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.