Office (OLE) / .PPS malware analysis — malicious · 6254b860f7302f54

MALICIOUS

Office (OLE) / .PPS

268.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 440b62f954b73a9d50f54caea0568f87 SHA-1: c767e60cceee90c8ea7f55a64565b7f8abf60588 SHA-256: 6254b860f7302f540c3fde0fb832d1b95e718aaf9ec1c21c6979666668f60999

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PowerPoint slideshow (PPS) file that contains an embedded PE executable. Heuristics indicate the use of WinExec, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely launched. The presence of an embedded executable strongly points to a malicious dropper or downloader.

Heuristics 4

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00003278.exe` `b385931989bf5201b262bd9f5c84bb644b8f61c8c482aa472f6117da17978f9d`	embedded-pe	Office MZ+PE at offset 0x3278	261512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.