Office (OLE) / .PPT malware analysis — malicious · 71b0290e4b905bab

MALICIOUS

Office (OLE) / .PPT

220.6 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 59ed722d7d68d5c6e9108374f95bb90c SHA-1: c2f672dd7c31a5841f8b0ee11dbc5e586fb2cf34 SHA-256: 71b0290e4b905bab7cede4c42bef17a8980157d08f2bc6f1d5e44e89ee5bf784

140 Risk Score

Malware Insights

The presence of a NOP sled and XOR-encoded strings are strong indicators of malicious intent, commonly found in exploit-laden documents. The OLE slack anomaly further suggests obfuscation or padding typical of malware. While no specific VBA or script content was provided, the heuristics point towards a malicious PowerPoint file, likely attempting to execute code or exploit a vulnerability.

Heuristics 3

XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 225,844 bytes but its declared streams total only 18,081 bytes — 207,763 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.