Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 5efd4dfee6fafce1…

MALICIOUS

Office (OLE) / .PPS

185.6 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 90a7a0fb15dbbc5ce3f75ce3e9a92d4c SHA-1: 0adba7c61d4bcdbc8331d4fb7c9d8e27e59efb30 SHA-256: 5efd4dfee6fafce16642c2caab9be9189809b0192879b1653ddd56efb0a160d0
420 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PowerPoint slideshow (PPS) file that contains a malformed record payload, indicative of CVE-2006-3877. This exploit is used to drop and execute an embedded PE executable. The presence of shellcode-related heuristics like NOP sled, GetPC stub, and PEB access further supports the execution of a malicious payload. The embedded executable is the primary IOC.

Heuristics 10

  • CVE-2006-3877 — PowerPoint malformed record payload critical CVE likely CVE_2006_3877
    PowerPoint OLE file declares a malformed large numbered Table stream that cannot be read through the CFB chain, while the carved stream bytes contain a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit family fixed as CVE-2006-3877.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDI)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003675.exe
65b6f205e73339c935978c0f58f39b72e6269791fd32b68727e4ef6232ab71ec		 embedded-pe Office MZ+PE at offset 0x3675 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.