Office (OLE) / .PPT malware analysis — malicious · 9f7fa165bfaea439

MALICIOUS

Office (OLE) / .PPT

683.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 78373aaf62fc7f5ac369b50455e67d44 SHA-1: 2d93c1ab4e4c409e617fecab098df9820b26316f SHA-256: 9f7fa165bfaea4391f7618932087af9a1cf5872b18d7c13eff8951be2e67293c

506 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1055.012 Process Hollowing T1055.001 Process Injection

The sample is a PowerPoint file that exploits CVE-2006-3877 to embed and deliver a PE executable. Heuristics indicate the use of process injection and remote thread creation, suggesting the embedded executable is designed to execute malicious code. No VBA macros were extractable, but the presence of an embedded executable is a strong indicator of malicious intent.

Heuristics 14

CVE-2006-3877 — PowerPoint malformed record payload critical CVE likely CVE_2006_3877

PowerPoint OLE file declares a malformed large numbered Table stream that cannot be read through the CFB chain, while the carved stream bytes contain a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit family fixed as CVE-2006-3877.
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Trojan.Agent-62058 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-62058
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00003e78.exe` `3adc6ce0e3943d7f711367d44b2d13e0c7f15e3e390f14bd1ce4fd46aa779ae6`	embedded-pe	Office MZ+PE at offset 0x3E78	683912 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.87, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.