Office (OLE) malware analysis — malicious · fcd9bbd7e0318d14

MALICIOUS

Office (OLE)

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint

MD5: 03502f1d5356a706ab6ea47ddd6970e5 SHA-1: 83a51e6bc8a94fca0f01a7ffee59caf91b520d87 SHA-256: fcd9bbd7e0318d14b588a0d44a4b239fc4c753d7481f6a74c5d50431ad1c78fb

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample exhibits high-confidence heuristic firings indicating PEB access and API hash resolution, common techniques for shellcode execution. References to WinExec and CreateProcess APIs suggest the execution of further payloads. The presence of embedded URLs, though benign in this instance, combined with these execution indicators points towards a downloader or initial execution mechanism. No specific family could be confidently identified.

Heuristics 6

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.