Office (OLE) / .PPS malware analysis — malicious · 764694bb9865db8b

MALICIOUS

Office (OLE) / .PPS

2.38 MB Created: 2009-03-20 22:40:26 Authoring application: Microsoft Office PowerPoint

MD5: a6972ea817c1b64fc1024b257edaf6df SHA-1: f954f94239be6bb774e6414094544397354b3099 SHA-256: 764694bb9865db8be8b6cc517533b4114d30e703d67e6844837d4c0b89424010

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is a PowerPoint slideshow (PPS) with a verdict of malicious. It contains appended executable data, indicating it's likely a dropper or container for a secondary payload. The document body is a religious-themed message designed to encourage sharing, a common social engineering tactic to spread malware. No scripts were extracted, and the embedded URLs are benign, suggesting the malicious payload is likely within the appended data.

Heuristics 3

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.