Malicious Office (OOXML) / .PPTX — malware analysis report

Static analysis result for SHA-256 8862814ed8db9fda…

MALICIOUS

Office (OOXML) / .PPTX

134.1 KB First seen: 2026-06-12
MD5: eb537fc7b9eb30a30ad070b4025f138d SHA-1: 1c65f0e59dbafdb33ac5bce07249989813cbb67c SHA-256: 8862814ed8db9fda82cec5e2f96529af61cbc9cce6de41e08221477782bca51a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious PPTX file containing an embedded OLE object. This object, identified as a package, is designed to drop an executable payload named 'siparisler.jar'. The presence of this embedded executable strongly suggests an attack pattern involving spearphishing, where the document is intended to trick the user into opening it and subsequently executing the dropped payload.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 95744 bytes
SHA-256: 8f0f83f6190d1a2544077a4d4a9fcfeef2f9a9ac190545bb157eeca141af7879
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 88187 bytes
SHA-256: a08c6052c5fdb9dcd4f7995eab00a7aa2fa2b597b1ea714f968564f59a263121
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00_siparisler.jar ole-package-payload OOXML ppt/embeddings/oleObject1.bin Ole10Native payload: display_name=siparisler.jar; full_path=C:\DOCUME~1\XPMUser\Desktop\SIPARI~1.JAR; temp_path=; def_file= 88070 bytes
SHA-256: b4fc552e687a1b07f518f8aaa80c86c7f3da6ab42dd94ba40316f02a978d3b62

Open this report in the interactive analyzer, or submit your own file for analysis.