Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 f47222e630970087…

MALICIOUS

Office (OLE) / .PPT

157.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: dd590d06f1a744e867120a772a9ac078 SHA-1: 1e9970b41384f3b38f1183fe0fc1c1df5f843a1b SHA-256: f47222e6309700870c536bcd15b9672711f3ece373c96717b4133dbcde144eed
422 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1055.012 Process Hollowing T1059.001 PowerShell

The file is a malicious PowerPoint presentation that contains an embedded executable. Heuristics indicate suspicious API calls related to process injection (VirtualAlloc, VirtualProtect), execution (WinExec, CreateProcess), and dynamic library loading (LoadLibrary, GetProcAddress), suggesting it attempts to load and run the embedded payload. The presence of cmd.exe invocation further supports the execution of malicious commands. The ClamAV detection as 'Win.Trojan.Exploit-110' confirms its malicious nature.

Heuristics 12

  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Scan did not complete info SCAN_INCOMPLETE
    Office scanner subprocess failed (read: [Errno 13] Permission denied: '/opt/analyzer/quarantine/f47222e6309700870c536bcd15b9672711f3ece373c96717b4133dbcde144eed_dd590d06f1a744e867120a772a9ac078.ppt'); this file was not fully inspected. The result is not cached so a later submission will re-trigger the scan.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a081.exe
29e369af7f39c70fba0639bd7c2c2f213b9f7e6cf6c880c0ad82e14879095ca9		 embedded-pe Office MZ+PE at offset 0xA081 120191 bytes
Detection
ClamAV: Win.Trojan.Exploit-110
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.