MALICIOUS
284
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Phishing: Spearphishing Attachment
This PowerPoint document contains an embedded PE executable, identified as a likely payload. Heuristics indicate exploitation of a known PowerPoint vulnerability (CVE-2011-1269 / MS11-036) to execute this embedded binary. No VBA macros were extractable, but the presence of the executable and the RCE vulnerability points to a malicious document designed to drop and run a secondary stage.
Heuristics 9
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly0002750C 90 nop 0002750D 90 nop 0002750E 90 nop 0002750F 90 nop 00027510 90 nop 00027511 90 nop 00027512 90 nop 00027513 90 nop 00027514 90 nop 00027515 90 nop 00027516 90 nop 00027517 90 nop 00027518 90 nop 00027519 90 nop 0002751A 90 nop 0002751B 90 nop 0002751C 90 nop 0002751D 90 nop 0002751E 90 nop 0002751F 90 nop 00027520 90 nop 00027521 90 nop 00027522 90 nop 00027523 90 nop 00027524 90 nop 00027525 90 nop 00027526 90 nop 00027527 90 nop 00027528 90 nop 00027529 90 nop 0002752A 90 nop 0002752B 90 nop 0002752C 90 nop 0002752D 90 nop 0002752E 90 nop 0002752F 90 nop 00027530 90 nop 00027531 90 nop 00027532 90 nop 00027533 90 nop 00027534 90 nop 00027535 90 nop 00027536 90 nop 00027537 90 nop 00027538 90 nop 00027539 90 nop 0002753A 90 nop 0002753B 90 nop 0002753C 90 nop 0002753D 90 nop 0002753E 90 nop 0002753F 90 nop 00027540 55 push ebp 00027541 53 push ebx 00027542 45 inc ebp 00027543 52 push edx 00027544 3332 xor esi, dword ptr [edx] 00027546 2e646c insb byte ptr es:[edi], dx 00027549 6c insb byte ptr es:[edi], dx 0002754A 009090909090 add byte ptr [eax - 0x6f6f6f70], dl 00027550 4d dec ebp 00027551 53 push ebx 00027552 4f dec edi 00027553 2e646c insb byte ptr es:[edi], dx 00027556 6c insb byte ptr es:[edi], dx 00027557 00b843000000 add byte ptr [eax + 0x43], bh 0002755D 0000 add byte ptr [eax], al 0002755F 00c8 add al, cl 00027561 43 inc ebx 00027562 0000 add byte ptr [eax], al 00027564 de4300 fiadd word ptr [ebx] 00027567 00f2 add dl, dh 00027569 43 inc ebx 0002756A 0000 add byte ptr [eax], al
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDThe Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
- http://office.microsoft.comIn document text (OLE body)
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In document text (OLE body)
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
- http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00023e00.exe |
embedded-pe | Office MZ+PE at offset 0x23E00 | 42419 bytes |
SHA-256: 23b71d35056ce52cc84c934f4823adcf4249a33ac820b012487f36390fe1b252 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_VIRTUALPROTECT, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: shlwapi.dll, VirtualProtect, LoadLibraryA, LoadLibraryW, GetProcAddress
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.