MALICIOUS
162
Risk Score
Heuristics 4
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
XOR-encoded strings (key 0x73) critical SC_XOR_ENCODEDFound 1 Windows library/API name(s) XOR-encoded with single-byte key 0x73: 'RegOpenKeyExA'
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document body
Open this report in the interactive analyzer, or submit your own file for analysis.