Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 79284a3efb23127e…

MALICIOUS

Office (OLE) / .PPT

387.5 KB Created: 2003-02-27 08:38:25 Authoring application: Microsoft PowerPoint
MD5: 04f8fa96ffdf104533b49539fa4fc7a6 SHA-1: 27799c18957ef9da58f74540497f076efd5e9e45 SHA-256: 79284a3efb23127edeeea0577c00632457f77863c7fe931c18afb92ebd44a88d
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a Microsoft PowerPoint file containing an embedded PE executable. Heuristics indicate the presence of APIs commonly used for loading and executing code, such as VirtualProtect, LoadLibrary, and GetProcAddress. The embedded executable is the primary indicator of malicious intent, suggesting the document is a lure to trick the user into executing a malicious payload.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-38815 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-38815
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0004b9f7.exe
b0eb95336744364fbcf3b3e15733323046d5230308b5b562bca82937949c23bd		 embedded-pe Office MZ+PE at offset 0x4B9F7 87049 bytes
Detection
ClamAV: Win.Trojan.Agent-38815
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.