Office (OLE) / .PPT malware analysis — malicious · c996d3a82711b7bb

MALICIOUS

Office (OLE) / .PPT

961.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 5fdbc859ff515ba978ccf3c366f93c84 SHA-1: 46dfcf38d160898178a34f0845ab95714951119d SHA-256: c996d3a82711b7bba9021c3e2162e15f12bae026594eccebe4c8bc7ef8b385a1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample is a PowerPoint file exhibiting characteristics of malicious intent, including a large slack space anomaly and the presence of a NOP sled. Crucially, XOR-encoded strings were detected with a key of 0xF0, indicating obfuscation techniques commonly used to hide malicious code. While no specific document body content or scripts were clearly extracted for analysis, these heuristics strongly suggest the file is designed to execute obfuscated code, likely for payload delivery.

Heuristics 3

XOR-encoded strings (key 0xF0) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xF0: 'ADVAPI32.DLL'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 984,622 bytes but its declared streams total only 18,081 bytes — 966,541 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.