Office (OLE) / .PPT malware analysis — malicious · df47d2359a409f68

MALICIOUS

Office (OLE) / .PPT

1008.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 5f55fce64901b1928dca4fe8f03f03a1 SHA-1: 40854f8b7133383d5ce166110dbed8266c83355a SHA-256: df47d2359a409f68e96d24bd60fa7317c3592f07a41797a787c8d6ecc5ee29bc

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample is a malicious PowerPoint file exhibiting significant slack space, indicative of potential obfuscation or embedded malicious content. Heuristics detected a NOP sled and XOR-encoded strings, suggesting an attempt to hide malicious code. The XOR key 0xBE was identified, which is a primary indicator of the encoding method used. The large amount of slack space (98%) further supports the idea that malicious code is concealed within the file structure.

Heuristics 3

XOR-encoded strings (key 0xBE) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xBE: 'LoadLibraryW', 'CreateProcessW', 'CreateProcessW'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,032,708 bytes but its declared streams total only 18,081 bytes — 1,014,627 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.