Office (OLE) / .PPT malware analysis — malicious · 5491c03aa2b4405d

MALICIOUS

Office (OLE) / .PPT

3.98 MB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 365cb40f599f10ad4d58512809988b42 SHA-1: 63cce8ad1572c6c0abf31afba34499ae45327354 SHA-256: 5491c03aa2b4405d5110a7c289d8b1468fb5fc3e22ccbb14891c9f612008b679

160 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is a malicious PowerPoint file exhibiting several high and critical heuristic warnings, including XOR-encoded strings and NOP sleds. The presence of XOR-encoded strings (key 0x5B) suggests an attempt to hide malicious code or data. The large slack space in the OLE structure further indicates potential for embedded malicious content. Without a document body or script content, the exact payload delivery mechanism cannot be determined, but the heuristics strongly suggest a downloader or dropper functionality.

Heuristics 4

XOR-encoded strings (key 0x5B) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x5B: 'LoadLibraryW', 'LoadLibraryExA', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessW', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 4,170,756 bytes but its declared streams total only 18,081 bytes — 4,152,675 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x43 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.