Office (OLE) / .PPT malware analysis — malicious · f9bd4eb1f67d74b4

MALICIOUS

Office (OLE) / .PPT

1.36 MB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 512dcdc69310472c13148e2d566364a2 SHA-1: 40b6cd0d70bf657f489015d4ada83c07d4bda8a6 SHA-256: f9bd4eb1f67d74b4d3520f49a2cff2eafdc9a7eb483e57c591426bf6fc046ce0

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

Static analysis detected a NOP sled and XOR-encoded strings, indicating obfuscated malicious code. The large slack space in the OLE structure is also anomalous. While no specific document body content or scripts were extracted, the heuristics strongly suggest the file is a loader for further malicious activity. The confidence is moderate due to the lack of explicit payload details.

Heuristics 3

XOR-encoded strings (key 0x87) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x87: 'LoadLibraryW', 'LoadLibraryW', 'GetProcAddress', 'CreateProcessW'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,424,900 bytes but its declared streams total only 18,081 bytes — 1,406,819 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.