Office (OLE) / .PPT malware analysis — malicious · 6eac0af92c2d9435

MALICIOUS

Office (OLE) / .PPT

3.30 MB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 51ede40293152b6fe56b3e68093420e9 SHA-1: eefefc30cf5377323f8eda530e955e0697333dbb SHA-256: 6eac0af92c2d9435b6fdf8b45bbb117ca730d497c81b1133b5f729c29f6dd95e

180 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The file is a PowerPoint document exhibiting several high and critical heuristic firings, including an appended executable payload and XOR-encoded strings. The presence of a NOP sled and significant slack space within the OLE structure further suggests malicious intent. The XOR encoding indicates an attempt to obfuscate malicious content, likely a second-stage payload.

Heuristics 4

XOR-encoded strings (key 0x60) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x60: 'LoadLibraryW', 'LoadLibraryExA', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessW', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 3,460,612 bytes but its declared streams total only 18,081 bytes — 3,442,531 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.