Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 b803a9afc5149eaa…

MALICIOUS

Office (OLE) / .PPT

133.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 538a3135697a1ebfe69ba352a96b9ebe SHA-1: a844f55ce26cdcbc567118f0f6c9fbbd9f375d40 SHA-256: b803a9afc5149eaaf4cf6f9880fdd49f48ce67645bea32165ceedd9f1dd4df7e
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is a PowerPoint file containing an embedded executable. Heuristics indicate references to LoadLibrary and GetProcAddress APIs, common in shellcode execution. The embedded executable is the primary indicator of malicious intent, suggesting a downloader or dropper. The document body content appears benign, but the presence of the embedded PE file is a strong indicator of a malicious payload delivery. No scripts were extracted from this sample.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.amsa.org/hp/sexed.cfm2

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00007918.exe
604e41e1d69131ae8ff4b4b1bab473c660097aebdab1959e46dabda8313bb782		 embedded-pe Office MZ+PE at offset 0x7918 105192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.