Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dc66296171081043…

MALICIOUS

Office (OLE)

45.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2015-09-30
MD5: 84e4bcd71231a6a38c88440c0d0e3690 SHA-1: 5ebfe94d48690a1b5a04a9a7b23ff5f59d275365 SHA-256: dc66296171081043285cee3f9bd6917d5c4e20ee90723d94bbb13b8dbc836fa7
460 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is a PowerPoint document identified as malicious, containing an embedded PE executable. Heuristics indicate the use of Windows API functions like CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, LoadLibrary, and GetProcAddress, strongly suggesting the execution of a dropped payload. The presence of an embedded executable and the exploitation of a known PowerPoint vulnerability (CVE-2011-1269 / MS11-036 family) points to a client execution attack vector, likely delivered via spearphishing.

Heuristics 9

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • ClamAV: Win.Trojan.Agent-67838 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-67838
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002a72.exe embedded-pe Office MZ+PE at offset 0x2A72 35726 bytes
SHA-256: 2139235611c00bf01844cbdcd76b5920c3e250d84949493a2e8976e017d49d31
Detection
ClamAV: Win.Trojan.Agent-67838
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.