Office (OLE) / .PPT malware analysis — malicious · 45f475ebc8b1e188

MALICIOUS

Office (OLE) / .PPT

536.0 KB Created: 2007-05-29 07:11:35 Authoring application: Microsoft Office PowerPoint

MD5: 07a07b416f2d1d347d7cd9a5d5745a6f SHA-1: 87d6a98c6b2c2b340f0ec664c5ce9a4437484bbd SHA-256: 45f475ebc8b1e188d86075678c3ddb9bd98d32b6c08c7c50112de705e86212f4

200 Risk Score

Malware Insights

MITRE ATT&CK

T1559 Component Object Model Hijacking T1204 Malicious Link T1059 Command and Scripting Interpreter

The sample is a PowerPoint document containing an embedded Portable Executable (PE) file. Heuristics indicate the use of APIs such as VirtualAlloc, LoadLibrary, and GetProcAddress, commonly used by malware to allocate memory and load malicious code. The presence of an embedded executable strongly suggests a delivery mechanism for a secondary payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0006be49.exe` `c1a0484676c16c721032ed5c7926b0fece1fdeecaa999b15c8155f22e7ef1078`	embedded-pe	Office MZ+PE at offset 0x6BE49	106935 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.