Office (OLE) / .PPT malware analysis — malicious · 9647740a0153855d

MALICIOUS

Office (OLE) / .PPT

123.9 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 3949ec6f9201a2556fc55e02425d6164 SHA-1: a59034bc0ac3829586e6cd7323fd570301db2d79 SHA-256: 9647740a0153855dc8f01a1f75c86bca1ddae216474877ebfdd98ae356800ae7

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information T1497.001 System Checks: System Checks

The sample exhibits several high-severity heuristic firings including PEB access, an API hash resolver, and a heap spray pattern, all indicative of malicious activity. The presence of XOR-encoded strings with a key of 0x49 suggests an attempt to obfuscate malicious payloads. While no specific family is identified, these techniques are commonly used by downloaders or droppers to evade detection and execute further stages.

Heuristics 5

XOR-encoded strings (key 0x49) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x49: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'CreateProcessA', 'ExitProcess', 'ExitProcess'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.