MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The file is a PowerPoint document identified as malicious due to the presence of an embedded PE executable. Heuristics indicate it exploits CVE-2011-1269 / MS11-036, a known vulnerability for client execution. The embedded executable is the primary payload, likely delivered via spearphishing.
Heuristics 5
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 139,264 bytes but its declared streams total only 58,805 bytes — 80,459 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00010000.exe |
embedded-pe | Office MZ+PE at offset 0x10000 | 73728 bytes |
SHA-256: 129f49ba2a52adee1f88497499a1879c4554da4b2163947988047e49f980ff40 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.