Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 771293ab20afd4da…

MALICIOUS

Office (OLE) / .PPT

857.1 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint First seen: 2026-06-21
MD5: 722efe25f0d973fbb684cc32da1f693e SHA-1: b4bfd927a28a5d26d8d1f81335fe504bd3c0bc34 SHA-256: 771293ab20afd4da5ac9908915f5fd04467f6b444bade8ac68bb8ed60648c792
200 Risk Score

Heuristics 4

  • ClamAV: Win.Dropper.Agent-30180 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.Agent-30180
  • XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'wininet.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 877,670 bytes but its declared streams total only 18,081 bytes — 859,589 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.