Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 cc58f34c9aea3348…

MALICIOUS

Office (OLE) / .PPS

490.1 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 0e8b09e8adc294616112468b95848777 SHA-1: 1fa4377ecef7b241c36ff74e621dc25008c9935a SHA-256: cc58f34c9aea3348bd47a70875ccdf8d8b16611524f886d7bfd938ec88b9ed7f
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a PowerPoint file (PPS) containing an embedded PE executable. Heuristics indicate the use of API hashing for resolving functions like CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting dynamic loading of malicious code. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader or initial payload.

Heuristics 9

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000367a.exe
b2fc8c49972feadee52812c7b077f8bf46657a0e8994a354e2a6dd2a5361aaf6		 embedded-pe Office MZ+PE at offset 0x367A 487936 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.75, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.