Office (OLE) / .PPT malware analysis — malicious · c7fb96ac6d7729e2

MALICIOUS

Office (OLE) / .PPT

135.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 2c84f051d56d6c6f7fd36bc942a9df29 SHA-1: a6c3f3cd7d81b7a45310d128c03c0a48b4839cb8 SHA-256: c7fb96ac6d7729e263e4c9b6b3264ac42c2e1f7bb8f9f5e88b1cffb01d13430c

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The sample is a malicious PowerPoint file exhibiting critical XOR encoding and high-severity heuristics for PEB access and API hash resolution, indicative of shellcode execution. The presence of a heap spray pattern and NOP sled further suggests the exploitation of a vulnerability to execute arbitrary code. While no specific family is identified, the techniques point towards a downloader or dropper attempting to obfuscate its payload.

Heuristics 5

XOR-encoded strings (key 0x49) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x49: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL', 'CreateProcessA', 'ExitProcess', 'ExitProcess'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.