Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 acf2486620bf56cb…

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 5c0d05c6ec18117748b2764f4c423afa SHA-1: 39b3959f57858cbc7fb1b445a7378e2c5c13037e SHA-256: acf2486620bf56cb4ad4e13c37f10d55cd6bd375b3573e553987d2a52043bd68
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1055 Process Injection T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample exhibits high-confidence heuristic firings related to API hashing, PEB access, and the use of CreateProcess, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress. These indicators suggest the malware is designed to load and execute additional code, likely from a remote source. The presence of these low-level API calls points to a downloader or dropper functionality, aiming to fetch and run a second-stage payload.

Heuristics 8

  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.