MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Phishing: Spearphishing Attachment
The sample is a malicious PowerPoint file identified as exploiting CVE-2011-1269 / MS11-036, which allows for remote code execution. It contains an embedded PE executable, indicating it's designed to drop and run a secondary payload. The document body discusses global economic strategy, likely a lure to disguise the malicious intent.
Heuristics 7
-
PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOADA macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to WinExec API high SC_STR_WINEXECReference to WinExec API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00000f81.exe |
embedded-pe | Office MZ+PE at offset 0xF81 | 132223 bytes |
SHA-256: 9d3e22e1f5d47309455a581c86bc1f4809dab72aa914658c543b7ed035aae219 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.