Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 4341cdb2332c8b4e…

MALICIOUS

Office (OLE) / .PPT

670.0 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint
MD5: 027adc194e32f26d985ab137e7727174 SHA-1: 6ba8c6d58bdaaba7950337489ac27de9b2842284 SHA-256: 4341cdb2332c8b4ed6be932a2b61983b3384b77b08f1458793ba94b9a9303edc
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

Static analysis detected a NOP sled and XOR-encoded strings, indicating obfuscation commonly used to hide malicious code. The large slack space in the OLE structure is also anomalous. While no specific document body content or scripts were clearly extracted, the heuristics strongly suggest this PowerPoint file is a dropper or downloader for further malicious activity. The XOR key 0xCC was identified.

Heuristics 3

  • XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED
    Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'CreateProcessA'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 686,084 bytes but its declared streams total only 18,081 bytes — 668,003 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.