Office (OLE) / .PPT malware analysis — malicious · 5221424b404bf609

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 7d156896e69169d75882edb70d9387c3 SHA-1: 512fe866e6d3840a5939bf2a0b76bdb70409ae32 SHA-256: 5221424b404bf6097031e2eef97c5ca8ec92577db0cf930b708cb754f7cba423

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information T1564.003 Hidden Window

The file is a malicious PowerPoint presentation, as indicated by the 'malicious' verdict and the 'Win.Trojan.Exploit-110' ClamAV detection. High-severity heuristics indicate the presence of obfuscation techniques, including XOR encoding with key 0x56, PEB access for API resolution, and GetProcAddress usage, suggesting an attempt to hide malicious code execution. The GetPC stub and PEB access are common in exploit-based malware.

Heuristics 6

XOR-encoded strings (key 0x56) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x56: 'KERNEL32.DLL', 'LoadLibraryA'
ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Exploit-110
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Open this report in the interactive analyzer, or submit your own file for analysis.