MALICIOUS
382
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1059 Command and Scripting Interpreter
T1027 Obfuscated Files or Information
The sample is identified as malicious by ClamAV and exhibits critical heuristic firings indicating exploit activity (CVE-2006-3590) and XOR-encoded strings. The presence of LoadLibrary and GetProcAddress API references suggests dynamic loading of further malicious code. Although VBA macros could not be extracted, the core exploit mechanism is clearly identified.
Heuristics 9
-
CVE-2006-3590 — PowerPoint malformed shape-container payload critical CVE likely CVE_2006_3590PowerPoint Pictures stream begins with malformed shape-container material and carries embedded resolver shellcode or a PE-like payload. This matches the MS06-048 mso.dll PowerPoint exploit family tracked as CVE-2006-3590.
-
XOR-encoded strings (key 0x5D) critical SC_XOR_ENCODEDFound 4 Windows library/API name(s) XOR-encoded with single-byte key 0x5D: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'InternetOpenA'
-
ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Exploit-110
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Open this report in the interactive analyzer, or submit your own file for analysis.