Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6d750a96eba47518…

MALICIOUS

Office (OLE)

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 0c6da51bbcf1b34ffc9312c3d17687b1 SHA-1: de28f3ffff39d99d821d5eef845f6b7f64ca80c3 SHA-256: 6d750a96eba47518aac400278aad75e5828a8595fd6ee55f8fc7e40462cafc5d
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1055 Process Injection T1055.012 Process Hollowing

The sample exhibits high-confidence heuristic firings related to PEB access, API hashing, and the use of core Windows API functions for process manipulation (CreateProcess, VirtualAlloc, VirtualProtect, LoadLibrary, GetProcAddress). This strongly suggests an attempt to execute arbitrary code, likely by loading and running a second-stage payload. The presence of FS segment access and PEB offsets further indicates sophisticated evasion and execution techniques.

Heuristics 8

  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.