Office (OLE) / .PPT malware analysis — malicious · 589230c95668cb32

MALICIOUS

Office (OLE) / .PPT

1008.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 83c03f221f0d0553798f0d1d7fa57cfe SHA-1: 42dc50e4900f5e3cafa9a43327776a26fbd640f3 SHA-256: 589230c95668cb325f3025f73e3b6e2433363854e0335ebd93ec2282b9e28647

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is a malicious PowerPoint file exhibiting several suspicious characteristics. High severity heuristics indicate the presence of a NOP sled and XOR-encoded strings, suggesting an attempt to hide malicious code. The large slack space in the OLE structure is also anomalous. While no document body text was available for analysis, the heuristics strongly suggest that the file contains obfuscated code, likely intended to download and execute a secondary payload. The XOR key 0x9B was identified during analysis.

Heuristics 3

XOR-encoded strings (key 0x9B) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x9B: 'CreateProcessA', 'CreateProcessA', 'CreateProcessW', 'CreateProcessW', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,032,708 bytes but its declared streams total only 18,081 bytes — 1,014,627 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.