Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 c24bd19f1987c894…

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 80b63472c909822cf5512953d9ec0d9c SHA-1: 65bf9498c2bef4924f5423c3ae91d1230f9a895c SHA-256: c24bd19f1987c89458aaedd880f03021c9f5b4d7365d5896cc36dbcc36c099ff
522 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Rundll32

The sample is a malicious PowerPoint file identified by ClamAV as Win.Trojan.Exploit-110. Critical heuristics indicate exploitation of CVE-2006-3590, involving a malformed shape-container payload. The presence of API calls like CreateProcess, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress strongly suggests the execution of a second-stage payload. No VBA macros were extractable, but the exploit itself is the primary indicator of malicious intent.

Heuristics 13

  • CVE-2006-3590 — PowerPoint malformed shape-container payload critical CVE likely CVE_2006_3590
    PowerPoint Pictures stream begins with malformed shape-container material and carries embedded resolver shellcode or a PE-like payload. This matches the MS06-048 mso.dll PowerPoint exploit family tracked as CVE-2006-3590.
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x43 bytes
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.