Office (OLE) / .PPT malware analysis — malicious · f7e428440faaa556

MALICIOUS

Office (OLE) / .PPT

72.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 9cb0a4e5e81c4e9ad536a3a5aa5abe4e SHA-1: 9d4eeefe6891563a41c8a53faae07fb6e98c7c8b SHA-256: f7e428440faaa55621eb77e451a3ff7266cf511571e43bf05a3687e92c772bbf

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious PowerPoint file exhibiting a critical heuristic for XOR-encoded strings with a key of 0xED. The large amount of slack space in the OLE structure also indicates potential obfuscation or packed content. While no document body or script content was available for analysis, the presence of XOR-encoded strings strongly suggests the file is attempting to hide malicious code or data, likely for payload delivery.

Heuristics 2

XOR-encoded strings (key 0xED) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xED: 'LoadLibraryW'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 74,244 bytes but its declared streams total only 18,081 bytes — 56,163 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.