Win.Dropper.Agent-30180 Office (OLE) / .PPT malware analysis — malicious · 771293ab20afd4da

MALICIOUS

Office (OLE) / .PPT

857.1 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 722efe25f0d973fbb684cc32da1f693e SHA-1: b4bfd927a28a5d26d8d1f81335fe504bd3c0bc34 SHA-256: 771293ab20afd4da5ac9908915f5fd04467f6b444bade8ac68bb8ed60648c792

200 Risk Score

Malware Insights

Win.Dropper.Agent-30180 · confidence 90%

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file exhibits critical heuristic firings for XOR-encoded strings and a ClamAV detection of Win.Dropper.Agent-30180, indicating a dropper functionality. The presence of a NOP sled and a large slack space anomaly further suggest the file is packed or obfuscated to hide malicious code. The document is likely delivered as a spearphishing attachment, aiming to execute a secondary payload.

Heuristics 4

XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'wininet.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc'
ClamAV: Win.Dropper.Agent-30180 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Agent-30180
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 877,670 bytes but its declared streams total only 18,081 bytes — 859,589 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.