MALICIOUS
380
Risk Score
Heuristics 8
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Exploit-110
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
XOR-encoded strings (key 0x10) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x10: 'GetProcAddress', 'RegOpenKeyExA'Disassembly hidden — these bytes score as data, not coherent x86 code (13/25 branch targets land on an instruction boundary (52% coherence)).
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.