Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 fe08bd10efabe395…

MALICIOUS

Office (OLE) / .PPT

1.29 MB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 98336b9ab8311eb290da3aeb08d35996 SHA-1: f46207300efcfd4b4f18f24ae15e1397f2e04ca7 SHA-256: fe08bd10efabe39542b636d9e0ece5af16c39ee7e866d95cca878144fda80521
286 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious PowerPoint file identified by ClamAV as Win.Downloader.18273-1. It exploits CVE-2006-3877, a known vulnerability in PowerPoint's handling of malformed records, to embed and deliver a PE executable. The heuristics indicate the use of APIs like VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the embedded executable is designed to load and execute further malicious code. No document body text was available for analysis, but the presence of an embedded executable and exploit firing strongly indicates a downloader or dropper functionality.

Heuristics 8

  • CVE-2006-3877 — PowerPoint malformed record payload critical CVE likely CVE_2006_3877
    PowerPoint OLE file declares a malformed large numbered Table stream that cannot be read through the CFB chain, while the carved stream bytes contain a PE-like payload. This is the static shape of the PowerPoint malformed-record exploit family fixed as CVE-2006-3877.
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Downloader.18273-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Downloader.18273-1
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000526a.exe
f6b5f3e5e2eba51ee6c87520c84efe5df88edf3841187230905386d6a3c49dbc		 embedded-pe Office MZ+PE at offset 0x526A 1335190 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.