Office (OLE) / .PPT malware analysis — malicious · c9ca947639e897fd

MALICIOUS

Office (OLE) / .PPT

151.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: bd3a9ec777e0ecee3c0ed57abb037851 SHA-1: 260d8e5c4904ce51965bdf4b946deba895036d23 SHA-256: c9ca947639e897fdfb6026729d56fb790bef70c24fa9d1f86ae522e8f4d31ebd

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample is a PowerPoint file exhibiting characteristics of malicious intent, including a large slack space anomaly and the presence of a NOP sled. Crucially, XOR-encoded strings were detected, indicating obfuscation techniques are in use. The lack of readable document body text or extracted scripts prevents a more detailed analysis of the specific lure or payload, but the heuristics strongly suggest an embedded exploit.

Heuristics 3

XOR-encoded strings (key 0x89) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x89: 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,140 bytes but its declared streams total only 18,081 bytes — 137,059 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.