Office (OLE) / .PPT malware analysis — malicious · 987461d669327462

MALICIOUS

Office (OLE) / .PPT

618.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: e5c90f9beaabef8ef350c6bbb8dba64a SHA-1: 0344e78e8f1f82960d67813033b28434c3f0b7d1 SHA-256: 987461d669327462f5d2eff031d1fadb8ecb8f82291aa97517afe79d83630e97

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is a PowerPoint file with a large amount of slack space, suggesting obfuscation or embedded malicious content. The document body discusses military conflict scenarios between India and China, potentially serving as a lure. Heuristics indicate the presence of PEB access and an API hash resolver, common techniques for evading detection. No scripts were extracted, and no specific IOCs were identified.

Heuristics 4

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 633,344 bytes but its declared streams total only 42,436 bytes — 590,908 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.