Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 7ecc63df796e4bfd…

MALICIOUS

Office (OLE) / .PPT

213.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 1804b50a72eb25cbe07f24663a3c1282 SHA-1: ceeff5a0d46b296996ec6d0a2c149d513a5d2dd6 SHA-256: 7ecc63df796e4bfd4b700bddc5b342c3b18b6c9e63c762228367f737dae75e71
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a PowerPoint file exhibiting multiple high-severity heuristics indicative of shellcode execution, including NOP sleds, PEB access, and an API hash resolver. It also contains a malformed picture-record payload related to CVE-2006-0022, suggesting exploitation of a PowerPoint vulnerability. The XOR-encoded strings further suggest a packed or obfuscated payload. While VBA macros could not be extracted, the presence of raw shellcode and exploitation indicators points to a malicious downloader.

Heuristics 8

  • PowerPoint malformed picture-record payload — CVE-2006-0022 related high CVE related PPT_CVE_2006_0022_RELATED
    PowerPoint OLE file has a large Pictures stream with image-record material and MZ-like payload bytes, while the PowerPoint Document stream contains compact PEB/API-resolver shellcode. This is related to the CVE-2006-0022 malformed picture-record exploit family, but the static evidence is not specific enough for an exact CVE match.
  • XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.