Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 72274960f485871f…

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: c7a1dfe3d6ea571f73b5702a4cbeab64 SHA-1: 994fe5a04ab858067ee1a61457b109216e9b63a2 SHA-256: 72274960f485871f9922547547fd9f10f106bc5cb484aa1fb7783ebe9f29a54b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1564.002 Obfuscated Files or Information: Hidden Window T1071.001 Web Protocols: Web Protocols T1218.011 System Binary Proxy Execution: Rundll32

The sample exhibits high-confidence heuristics for PEB access, API hash resolution, and the use of ShellExecute, indicating a sophisticated attempt to hide its functionality and execute code. The presence of obfuscated code and references to scripting interpreters suggests it's designed to download and run a second-stage payload, likely for further malicious actions.

Heuristics 4

  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API

Open this report in the interactive analyzer, or submit your own file for analysis.