Win.Trojan.Enfal-69 Office (OLE) / .PPS malware analysis — malicious · d4c9a815e57be70d

MALICIOUS

Office (OLE) / .PPS

267.2 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 0cc2e0bee2242e8a72d86047464db97d SHA-1: e2a01f53bd6221d65da7d7cebcd090e94bc3bd49 SHA-256: d4c9a815e57be70d7b06939bdd3c1f06cba6445d71cb5802d267e13b59fc976a

680 Risk Score

Malware Insights

Win.Trojan.Enfal-69 · confidence 95%

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell T1055.012 Process Hollowing T1055.001 Process Injection

The sample is a PowerPoint file (PPS) that exploits CVE-2006-3877, a known vulnerability in Microsoft PowerPoint. It contains an embedded PE executable which is likely the primary payload. Heuristics indicate the use of WinExec, CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is designed to inject itself into a legitimate process or launch a new malicious process. ClamAV identified the sample as Win.Trojan.Enfal-69.

Heuristics 15

CVE-2006-3877 — PowerPoint malformed record payload critical CVE likely CVE_2006_3877

PowerPoint OLE file declares a malformed large numbered Table stream that cannot be read through the CFB chain, while the carved stream bytes contain a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit family fixed as CVE-2006-3877.
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD

Reference to CreateRemoteThread API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Trojan.Enfal-69 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Enfal-69
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD

Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000367d.exe` `421323a854f01a911a83edf323cf9ba7d53e8ac14620e9f73e765864f98737fb`	embedded-pe	Office MZ+PE at offset 0x367D	259682 bytes
Detection ClamAV: Win.Trojan.Enfal-69 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.