Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 51a950b349e40096…

MALICIOUS

Office (OLE)

1.24 MB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 030016eb8de74265f43629b35bbbc79d SHA-1: 6261b4a9176913dc0a0bc6dd1b63cc8c34ee8cef SHA-256: 51a950b349e400965e8dcda0686b31bf0c901fcdbe75b422fc627d458e19d681
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a PowerPoint file containing an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. The presence of CreateProcess, LoadLibrary, and GetProcAddress API calls, along with XOR-encoded strings, indicates the embedded executable is likely malicious and attempts to load additional components or execute code. The document body contains placeholder text and does not provide a clear lure, but the primary attack vector is the delivery of the embedded malicious executable.

Heuristics 8

  • XOR-encoded strings (key 0x82) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x82: 'VirtualAlloc', 'CreateProcessA'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.taipei.gov.tw/cgi-bin/SM_theme?page=49f6b4a2
    • http://www.cdc.gov.tw/np.asp?ctNode=2278&mp=1
    • http://www.iec.ch

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005200.exe
d5883d6bd5d1f5a872f7d1126b0a7e553c8ecaaaf500b6a14262440ece08736d		 embedded-pe Office MZ+PE at offset 0x5200 1282560 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.