Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 122f5b98fb2dee8c…

MALICIOUS

Office (OLE)

367.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2026-06-13
MD5: 0750872caa0b17323656ea42537b6179 SHA-1: 380d195966da7729d82a9f88b9d86f8c8e813ac0 SHA-256: 122f5b98fb2dee8cd684c7cfd4fa4688dcb50a33f5ab3f2761906f0e1098e26f
162 Risk Score

Heuristics 4

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE related PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • XOR-encoded strings (key 0x73) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x73: 'RegOpenKeyExA'
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document body