Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f2e1e72ab67338eb…

MALICIOUS

Office (OLE)

133.0 KB Created: 2005-11-18 05:43:51 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: bba1f467a40d94137e4ad1e7b58ef9c3 SHA-1: df1bcf8344654759fd86cf8967b8222b3b274f6e SHA-256: f2e1e72ab67338ebc37a8b971fec07366318b61b8fa7860dc1d2672487e1c3f2
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Phishing: Spearphishing Attachment

The sample is a malicious PowerPoint file identified as exploiting CVE-2011-1269 / MS11-036, which allows for remote code execution. It contains an embedded PE executable, indicating it's designed to drop and run a secondary payload. The document body discusses global economic strategy, likely a lure to disguise the malicious intent.

Heuristics 7

  • PowerPoint binary-format RCE payload — CVE-2011-1269 / MS11-036 family critical CVE likely PPT_BINARY_MEMORY_CORRUPTION_PAYLOAD
    A macro-free binary PowerPoint (.ppt) document carries a native code payload (embedded PE and/or process-injection shellcode), staged in an oversized binary stream. Legitimate presentations do not embed executables or shellcode; this is the payload half of a PowerPoint memory-corruption exploit (CVE-2011-1269 / MS11-036 family; the same record-overflow delivery is shared with CVE-2010-2572 and CVE-2009-0556).
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00000f81.exe embedded-pe Office MZ+PE at offset 0xF81 132223 bytes
SHA-256: 9d3e22e1f5d47309455a581c86bc1f4809dab72aa914658c543b7ed035aae219