Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 f91a79c326d6a7c5…

MALICIOUS

Office (OLE) / .PPT

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: e3c7c4431c9d712d2965170fb013db1e SHA-1: 5a75ebb593254c5aa15b10f447c72bc02c4f249b SHA-256: f91a79c326d6a7c5bdbb7ab4c342618f0ff5a82a70428500e48187fe63a6dcf7
442 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious PowerPoint file detected as Win.Trojan.Exploit-110 by ClamAV. Critical heuristics indicate exploitation of CVE-2006-3590 via a malformed shape-container payload and the use of XOR-encoded strings. The presence of references to WinExec, LoadLibrary, and GetProcAddress, along with PEB access and an API-hash resolver, suggests the payload attempts to load and execute additional malicious code. The embedded URL is likely part of the lure or a command-and-control channel.

Heuristics 12

  • CVE-2006-3590 — PowerPoint malformed shape-container payload critical CVE likely CVE_2006_3590
    PowerPoint Pictures stream begins with malformed shape-container material and carries embedded resolver shellcode or a PE-like payload. This matches the MS06-048 mso.dll PowerPoint exploit family tracked as CVE-2006-3590.
  • XOR-encoded strings (key 0x40) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x40: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'InternetOpenA'
  • ClamAV: Win.Trojan.Exploit-110 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Exploit-110
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.photodex.com)��

Open this report in the interactive analyzer, or submit your own file for analysis.