Office (OLE) / .PPT malware analysis — malicious · d4993effbb3e36db

MALICIOUS

Office (OLE) / .PPT

497.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 32d198c7cb84952082e512503a26b7bf SHA-1: cb889b7f4dc7901cf051d5a204ce5e9b80191211 SHA-256: d4993effbb3e36dbf9f1cd43fa732a6405b7154ca8d4544758229067ad3cf164

160 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is a PowerPoint file exhibiting multiple heuristic warnings, including significant OLE slack space and XOR-encoded strings with a key of 0xEF. These indicators suggest the file contains obfuscated malicious content, likely intended to evade detection and deliver a secondary payload. No document body or script content was available for further analysis, limiting the ability to determine the exact attack pattern or family.

Heuristics 4

XOR-encoded strings (key 0xEF) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xEF: 'ADVAPI32.DLL'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 509,444 bytes but its declared streams total only 18,081 bytes — 491,363 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.