Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 f8a8579b27017d4f…

MALICIOUS

Office (OLE) / .PPT

1005.4 KB Created: 2005-06-29 12:09:59 Authoring application: Microsoft Office PowerPoint
MD5: f29a8f626353db426fae9181f5f6a71a SHA-1: d8231d0ff88d27da2c102b65781e146ee0cbbe3f SHA-256: f8a8579b27017d4f3d854d26555abd949a919a1915e116339c93bcd4077073a2
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File

The file is a PowerPoint presentation containing an embedded executable, detected by ClamAV as Win.Trojan.Miser-7. The document body contains instructions that explicitly tell the user to copy and paste content into a shell, which is a common lure for executing malicious payloads. The embedded executable is the primary payload.

Heuristics 6

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Miser-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Miser-7
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,029,567 bytes but its declared streams total only 375,255 bytes — 654,312 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/cdo/configuration/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0005ce00.exe
e11f911dc1793c707181f1339f9364d1da334140749f2aaca987edc84dcf99d6		 embedded-pe Office MZ+PE at offset 0x5CE00 649151 bytes
Detection
ClamAV: Win.Trojan.Miser-7
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.