MALICIOUS
480
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is a malicious PowerPoint document that leverages the CVE-2006-0022 vulnerability to execute arbitrary code. Static analysis indicates the presence of APIs like CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, strongly suggesting the exploitation of this vulnerability to load and run a secondary payload. The embedded executable further supports this finding.
Heuristics 11
-
CVE-2006-0022 — PowerPoint malformed picture-record payload critical CVE likely CVE_2006_0022PowerPoint OLE file contains a malformed large Pictures stream that cannot be read through the declared CFB chain, while the contiguous stream bytes contain image material and a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit fixed as CVE-2006-0022.
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Embedded PE executable high OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
Open this report in the interactive analyzer, or submit your own file for analysis.