Office (OLE) / .PPT malware analysis — malicious · c57bdded2065b482

MALICIOUS

Office (OLE) / .PPT

164.1 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: f8009605ac453eaf8b21c519a6c57e30 SHA-1: bff4fad256a1156bbd60d3ec1bdf9c2fa2d6f1f2 SHA-256: c57bdded2065b482e7369ff00ebe527f410e2fd42157eabd6f0e7fd464440bb0

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious PowerPoint file exhibiting characteristics of obfuscated content, including a NOP sled and XOR-encoded strings with a key of 0xCC. The large slack space in the OLE structure further suggests malicious intent. While no specific document body text or scripts were clearly extracted, the heuristics strongly indicate the presence of malicious code designed to evade detection and potentially download a secondary payload.

Heuristics 3

XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 167,988 bytes but its declared streams total only 18,081 bytes — 149,907 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.