Office (OLE) / .PPS malware analysis — malicious · d38a95c372f66ea4

MALICIOUS

Office (OLE) / .PPS

262.6 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 519a68ba37ee8b3b3c68faaed7fc0ffa SHA-1: eab414c141657be587339dabb126be1260438a56 SHA-256: d38a95c372f66ea4e1595d7136bd8dabae71cccc610aedbe3d926b01b7a9b421

320 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a PowerPoint file (PPS) containing an embedded PE executable. Heuristics indicate the use of API hashing for resolving functions like CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting dynamic loading of malicious code. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader or initial payload.

Heuristics 8

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00003674.exe` `2088fbb34b5a663a83e3447c266d8b07fd0bc18f232909791b185d982de433a5`	embedded-pe	Office MZ+PE at offset 0x3674	254976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.