Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 4e5d548185bf03f1…

MALICIOUS

Office (OLE) / .PPS

98.2 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: e982dbc547141c462097141867085bc7 SHA-1: 2f6d3d959fc7580f6fed875a60f1304cbb0cf995 SHA-256: 4e5d548185bf03f135de50b0b5b5378607fced362fa5cd639ce2c45e9d4495ef
402 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1055.012 Process Hollowing T1105 Ingress Tool Transfer

The file is a PowerPoint slideshow (PPS) containing an embedded executable. Heuristics indicate the use of APIs such as WinExec, CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is likely designed to download and execute a second-stage payload. The scan was incomplete due to a permission error, which limits the confidence in a full analysis.

Heuristics 11

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Scan did not complete info SCAN_INCOMPLETE
    Office scanner subprocess failed (read: [Errno 13] Permission denied: '/opt/analyzer/quarantine/4e5d548185bf03f135de50b0b5b5378607fced362fa5cd639ce2c45e9d4495ef_e982dbc547141c462097141867085bc7.pps'); this file was not fully inspected. The result is not cached so a later submission will re-trigger the scan.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003672.exe
80c940edeffb45a41c38263ea3c773085136cde2017ca80a497dc1b27d14d315		 embedded-pe Office MZ+PE at offset 0x3672 86626 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.