Office (OLE) / .PPT malware analysis — malicious · 42ba3c3b2f98cd66

MALICIOUS

Office (OLE) / .PPT

618.5 KB Created: 2005-06-13 06:38:23 Authoring application: Microsoft PowerPoint

MD5: f1e2cec1cdd926a7dd198df11d123981 SHA-1: 308a3e57221127600cfee4d6b52d8077de38baa6 SHA-256: 42ba3c3b2f98cd66c98084eea4644ab973dc9d8634345478352bad113b275c67

100 Risk Score

Malware Insights

MITRE ATT&CK

T1129 Execution through API execution

The file is identified as malicious by ClamAV with the signature Win.Trojan.Exploit-110. The OLE document exhibits a significant amount of slack space, which is a common characteristic of packed or obfuscated malicious files. The document body consists of jokes, suggesting a social engineering tactic to mask the malicious payload. No scripts were extracted from this sample.

Heuristics 2

ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Exploit-110
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 633,344 bytes but its declared streams total only 32,705 bytes — 600,639 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.