Office (OLE) / .PPT malware analysis — malicious · d05b1de8980ecdd9

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 7ee81035a7a0326eb4a0faae8993dd76 SHA-1: 01832fb762cb7170bfe18c949f9c87673401e470 SHA-256: d05b1de8980ecdd90bf1b4854c4a04f0dbbf8f73a4463d57d907d1ec9137d11a

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample is a PowerPoint file exhibiting high-severity heuristics related to PEB access, API hash resolution, and references to WinExec and CreateProcess. These indicate an attempt to execute code, likely to download and run a second-stage payload. The presence of these indicators strongly suggests a malicious intent to compromise the system.

Heuristics 6

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.