Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 5ee3bc8d9b46176d…

MALICIOUS

Office (OLE) / .PPS

618.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: d8c001b43f883aab1b6f221627a2684e SHA-1: 16870b469805a4296369cf7f250c349a535d9368 SHA-256: 5ee3bc8d9b46176d92057ed93a98b54e1d1a6cb81d785413cf361e7444eae6c4
220 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The sample is a PowerPoint file that exhibits characteristics of an exploit, including references to ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs. ClamAV detection as 'Win.Trojan.Exploit-110' strongly suggests it's a known exploit. The presence of these APIs indicates the file likely attempts to download and execute a second-stage payload, a common technique for exploiting vulnerabilities.

Heuristics 6

  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.