Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4d3c5e375031c9ad…

MALICIOUS

Office (OLE)

878.8 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 6c12bc12af8bc409d0b9d3e2e2449208 SHA-1: 2eec5a5edc7be4f7273b1aa950a839a9709eee5c SHA-256: 4d3c5e375031c9ad718e8e5e7bd153bb4807c925cc57cc6271e64c658951a9c3
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.002 Spearphishing Attachment

The sample is a PowerPoint document containing an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. Suspicious URLs were extracted, indicating a potential download source for further malicious activity. The presence of cmd.exe invocation and references to process creation APIs suggest the embedded executable is likely designed to run and perform malicious actions, possibly downloading additional payloads.

Heuristics 10

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 899,840 bytes but its declared streams total only 86,270 bytes — 813,570 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%s:%d/net/B%s/search%s.php
    • http://%s:%d/net/B%s/serinfo
    • http://about:blank

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015c00.exe
23abd0849ee82c8faf5a47ca35d50b9d69546e216e813bce5698c4e90b082c85		 embedded-pe Office MZ+PE at offset 0x15C00 810752 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.