Office (OLE) / .PPT malware analysis — malicious · af0b56946688c304

MALICIOUS

Office (OLE) / .PPT

618.5 KB Created: 2005-06-13 06:38:23 Authoring application: Microsoft PowerPoint

MD5: b3b38cc9dfdc837bcc667a6734cc20bc SHA-1: cf1f17f7533b88c62a1dbe0831e2a0d563927202 SHA-256: af0b56946688c304bb42986c038eaa5d0a0fd278844cad48d6aaea83d493cb4e

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is identified as malicious by ClamAV with the signature Win.Trojan.Exploit-110. The OLE slack anomaly suggests potential obfuscation or appended data. The document body consists of unrelated jokes, indicating a social engineering or lure tactic to mask the true malicious intent. No scripts were extracted, limiting further analysis of specific execution methods.

Heuristics 2

ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Exploit-110
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 633,344 bytes but its declared streams total only 32,696 bytes — 600,648 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.