Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 a84bce865447cdd8…

MALICIOUS

Office (OLE) / .PPT

929.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: e58a3de2c183a3abefc66fb607ff5c8c SHA-1: 1fa1befb64f5f0e82a3a1e62b6366170c59c0e95 SHA-256: a84bce865447cdd8c28c1fbc0ef9128cedee99ee9667a04c9ef6172fec31b01a
286 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic

The sample is a malicious PowerPoint file identified by ClamAV as Win.Downloader.18273-1. It exploits CVE-2006-3877, a known vulnerability in PowerPoint's handling of malformed records, to embed and execute a secondary PE executable. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API calls further indicates malicious activity, likely related to the execution of the embedded payload. No VBA macros were extractable, but the embedded executable is the primary indicator of malicious intent.

Heuristics 8

  • CVE-2006-3877 — PowerPoint malformed record payload critical CVE likely CVE_2006_3877
    PowerPoint OLE file declares a malformed large numbered Table stream that cannot be read through the CFB chain, while the carved stream bytes contain a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit family fixed as CVE-2006-3877.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Downloader.18273-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.18273-1
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000466a.exe
347ab4772d3cd74f9ca66586e14491f55024ef7bf68f6a2f5d4d7a0542ef55c0		 embedded-pe Office MZ+PE at offset 0x466A 933782 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.