Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 b0119f73c239dc7c…

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 4df93b5d31968d5c9e945d320dc06de1 SHA-1: 1fe66b2ccc3f10ec4685b2f1045ef90cff63a1dd SHA-256: b0119f73c239dc7c129ab3dda4364cdc6ad03fd9b0e076371ed878e7c8c34e21
502 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic

The sample is identified as malicious by ClamAV and exhibits critical heuristic firings related to process injection (WriteProcessMemory, CreateRemoteThread). It also contains a specific exploit for CVE-2006-3590 within a PowerPoint shape-container, indicating exploitation for client execution. The presence of API hashing and PEB access suggests evasion techniques. Although VBA macros could not be extracted, the exploit and process injection APIs strongly suggest the file is designed to download and execute a second-stage payload.

Heuristics 12

  • CVE-2006-3590 — PowerPoint malformed shape-container payload critical CVE likely CVE_2006_3590
    PowerPoint Pictures stream begins with malformed shape-container material and carries embedded resolver shellcode or a PE-like payload. This matches the MS06-048 mso.dll PowerPoint exploit family tracked as CVE-2006-3590.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.