Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 ba795353d8009fb6…

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 6be68865b987fc3e329b5e852b0bec6b SHA-1: 586f9ad64e18e62803fb2a84d3621c10aaef7996 SHA-256: ba795353d8009fb6186399c48cd5a435a2af3a40e7ab7b5f6b28cd571e396db7
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample contains references to URLDownloadToFile and cmd.exe execution, indicating an attempt to download and run a second-stage payload. The embedded URL http://bmwftp.blogdns.net:8080/nnn/ is likely the source of this payload. The presence of PEB access and API hash resolution suggests anti-analysis techniques are employed.

Heuristics 8

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bmwftp.blogdns.net:8080/nnn/#

Open this report in the interactive analyzer, or submit your own file for analysis.