Office (OLE) / .PPT malware analysis — malicious · 5539689711f31aca

MALICIOUS

Office (OLE) / .PPT

122.4 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: dd306bf0c32a42d340d2f2eece67cb89 SHA-1: d9819d2e30816b22267e99284ad9e8d64de63bd6 SHA-256: 5539689711f31acacecc553db6b7a879d7bae3c42e5b975ef7916509f2978dc9

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The sample is a PowerPoint file exhibiting critical heuristic firings for XOR-encoded strings and high-confidence firings for PEB access and API hash resolution, indicating a sophisticated attempt to hide malicious functionality. The presence of a NOP-equivalent sled and heap spray patterns further suggests exploit activity. While no specific document body content or scripts were extracted, the combination of these indicators points to a likely exploit delivery mechanism within the PowerPoint file, aiming to execute arbitrary code.

Heuristics 5

XOR-encoded strings (key 0x49) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x49: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'CreateProcessA', 'ExitProcess', 'ExitProcess'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.