Win.Trojan.Samsa-3 — Office (OLE) / .PPS malware analysis

Static analysis result for SHA-256 fb6764b20b2c4d65…

MALICIOUS

Office (OLE) / .PPS

200.2 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: b75487e2cca560259ced996357fbac0a SHA-1: b1de547c0fa42769ef7f75de9db053749ee736d2 SHA-256: fb6764b20b2c4d6552ca4959571a3b46740ba61ffa9847ca51886cff88316656
462 Risk Score

Malware Insights

Win.Trojan.Samsa-3 · confidence 90%

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer T1055.012 Process Hollowing

The file is a PowerPoint slideshow identified by ClamAV as Win.Trojan.Samsa-3. Heuristics indicate the use of process injection techniques such as WriteProcessMemory and CreateRemoteThread, along with API resolution and WinExec/CreateProcess calls, suggesting the execution of a secondary payload. An embedded executable file was also extracted, likely serving as this payload.

Heuristics 12

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • ClamAV: Win.Trojan.Samsa-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Samsa-3
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Scan did not complete info SCAN_INCOMPLETE
    Office scanner subprocess failed (read: [Errno 13] Permission denied: '/opt/analyzer/quarantine/fb6764b20b2c4d6552ca4959571a3b46740ba61ffa9847ca51886cff88316656_b75487e2cca560259ced996357fbac0a.pps'); this file was not fully inspected. The result is not cached so a later submission will re-trigger the scan.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003678.exe
8432f8660a40bee039f9eda28d8c5ba91885157ce0169cb06608a16cc5726f0a		 embedded-pe Office MZ+PE at offset 0x3678 191074 bytes
Detection
ClamAV: Win.Trojan.Samsa-3
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.