Office (OLE) / .PPT malware analysis — malicious · e1d69b2a4e8e28b3

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: b8d1637caebfd9269d5b54652f23319d SHA-1: 02a96c1d1efe5b5b8148f9b167f4fe4c5e32f417 SHA-256: e1d69b2a4e8e28b3bd5c19d3bea35fdbbff48b41564e7647cb8e5fbf5e259a56

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols: Web Protocols T1105 Ingress Tool Transfer

The sample exhibits high-confidence heuristic firings indicating it uses PEB access and API hash resolution to dynamically load libraries, specifically referencing LoadLibrary and GetProcAddress. This suggests a downloader or loader functionality. The presence of a NOP-equivalent sled and a GetPC stub further supports the interpretation of shellcode designed to execute arbitrary code. No document body or script content was available for further analysis, limiting the ability to determine the exact nature of the payload or its delivery mechanism.

Heuristics 6

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x43 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.