MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is identified as malicious due to the exploitation of CVE-2006-3590, a vulnerability in PowerPoint's shape container. This indicates the file is designed to execute arbitrary code upon opening. No specific malware family could be identified, and no further IOCs were extracted.
Heuristics 2
-
CVE-2006-3590 — PowerPoint malformed shape container critical CVE exact CVE_2006_3590The PowerPoint record graph contains an Escher shape container with text properties but no matching ClientTextbox child. This is the OffVis-compatible structural trigger for the MS06-048 malformed shape-container vulnerability.
-
XOR-encoded strings (key 0xEF) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0xEF: 'RegOpenKeyExA'
Disassembly
Attempted x86 opcode disassembly00003A21 bd8a88a09f mov ebp, 0x9fa0888a 00003A26 8a81a48a96aa mov al, byte ptr [ecx - 0x5569755c] 00003A2C 97 xchg edi, eax 00003A2D ae scasb al, byte ptr es:[edi] 00003A2E e2ef loop 0x3a1f 00003A30 ef out dx, eax 00003A31 ef out dx, eax 00003A32 bd8a88ab8a mov ebp, 0x8aab888a 00003A37 838a9b8aa48a96 or dword ptr [edx - 0x755b7565], 0xffffff96 00003A3E ae scasb al, byte ptr es:[edi] 00003A3F e4ef in al, 0xef 00003A41 ef out dx, eax 00003A42 ef out dx, eax 00003A43 bd8a88ac83 mov ebp, 0x83ac888a 00003A48 809c8aa48a96dbef sbb byte ptr [edx + ecx*4 - 0x2469755c], 0xef 00003A50 ef out dx, eax 00003A51 ef out dx, eax 00003A52 bc80899b98 mov esp, 0x989b8980 00003A57 8e9d8ab3a286 mov ds, word ptr [ebp - 0x795d4c76] 00003A5D 8c9d809c8089 mov word ptr [ebp - 0x767f6380], ds 00003A63 9b wait 00003A64 b3a0 mov bl, 0xa0 00003A66 8989868c8ab3 mov dword ptr [ecx - 0x4c75737a], ecx 00003A6C de .byte 0xde 00003A6D dec1 faddp st(1) 00003A6F dfb3bf80988a fbstp tbyte ptr [ebx - 0x75677f41] 00003A75 9d popfd 00003A76 bf8086819b mov edi, 0x9b818680 00003A7B b3bd mov bl, 0xbd 00003A7D 8a .byte 0x8a 00003A7E 9c pushfd 00003A7F 86 .byte 0x86 00003A80 83 .byte 0x83
Open this report in the interactive analyzer, or submit your own file for analysis.