Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d348292bef495cb8…

MALICIOUS

Office (OLE)

3.20 MB Created: 2001-09-18 01:12:01 Authoring application: Microsoft PowerPoint First seen: 2017-12-24
MD5: 5a59d29b83443afdc3cf15c9d3110949 SHA-1: 256e4c1a03ea9f6991d81eb24b7252847c0439c9 SHA-256: d348292bef495cb821df869ac5060e03768bdc9c69b4e5c8436d356b5ae4bca1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PowerPoint document identified as malicious. Static analysis detected an appended executable payload, indicating the document is likely a container for delivering malware. The presence of a NOP-equivalent sled further suggests shellcode or an exploit. The document body contains technical content unrelated to the malicious payload, suggesting it's a lure.

Heuristics 2

  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0017C8CA  41                inc ecx
    0017C8CB  41                inc ecx
    0017C8CC  41                inc ecx
    0017C8CD  41                inc ecx
    0017C8CE  41                inc ecx
    0017C8CF  41                inc ecx
    0017C8D0  41                inc ecx
    0017C8D1  41                inc ecx
    0017C8D2  41                inc ecx
    0017C8D3  41                inc ecx
    0017C8D4  41                inc ecx
    0017C8D5  41                inc ecx
    0017C8D6  41                inc ecx
    0017C8D7  41                inc ecx
    0017C8D8  41                inc ecx
    0017C8D9  41                inc ecx
    0017C8DA  41                inc ecx
    0017C8DB  41                inc ecx
    0017C8DC  41                inc ecx
    0017C8DD  41                inc ecx
    0017C8DE  41                inc ecx
    0017C8DF  41                inc ecx
    0017C8E0  41                inc ecx
    0017C8E1  41                inc ecx
    0017C8E2  41                inc ecx
    0017C8E3  41                inc ecx
    0017C8E4  41                inc ecx
    0017C8E5  41                inc ecx
    0017C8E6  41                inc ecx
    0017C8E7  41                inc ecx
    0017C8E8  41                inc ecx
    0017C8E9  41                inc ecx
    0017C8EA  41                inc ecx
    0017C8EB  41                inc ecx
    0017C8EC  41                inc ecx
    0017C8ED  41                inc ecx
    0017C8EE  41                inc ecx
    0017C8EF  ffc2              inc edx
    0017C8F1  0011              add byte ptr [ecx], dl
    0017C8F3  0801              or byte ptr [ecx], al
    0017C8F5  a6                cmpsb byte ptr [esi], byte ptr es:[edi]
    0017C8F6  01a903012200      add dword ptr [ecx + 0x220103], ebp
    0017C8FC  0211              add dl, byte ptr [ecx]
    0017C8FE  0103              add dword ptr [ebx], eax
    0017C900  1101              adc dword ptr [ecx], eax
    0017C902  ffc4              inc esp
    0017C904  00cf              add bh, cl
    0017C906  0000              add byte ptr [eax], al
    0017C908  0203              add al, byte ptr [ebx]
    0017C90A  0101              add dword ptr [ecx], eax
    0017C90C  0100              add dword ptr [eax], eax
    0017C90E  0000              add byte ptr [eax], al
    0017C910  0000              add byte ptr [eax], al
    0017C912  0000              add byte ptr [eax], al
    0017C914  0000              add byte ptr [eax], al
    0017C916  0000              add byte ptr [eax], al
    0017C918  0102              add dword ptr [edx], eax
    0017C91A  03040506070100    add eax, dword ptr [eax + 0x10706]
    0017C921  0301              add eax, dword ptr [ecx]
    0017C923  0101              add dword ptr [ecx], eax
    0017C925  0000              add byte ptr [eax], al
    0017C927  0000              add byte ptr [eax], al
    0017C929  00                .byte 0x00