Office (OLE) / .PPT malware analysis — malicious · eb8ead407deaa6d5

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: b2ddca35422fa6109b8385884ea5fda7 SHA-1: 7965d7bdf3b15633238cc70d18fbbd053170d324 SHA-256: eb8ead407deaa6d570b16af390c60159c78d2ad8c73a3b585af33ad6c3117014

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution T1071 Application Layer Protocol T1055 Process Injection

The sample exhibits high-severity heuristic firings indicating a PEB API-hash resolver and a reference to the ShellExecute API. These techniques are commonly used by malware to dynamically resolve API functions and execute commands or launch other executables. The presence of a GetPC stub further suggests code execution capabilities. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the core functionality points towards a downloader or initial execution stage.

Heuristics 4

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API

Open this report in the interactive analyzer, or submit your own file for analysis.