Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fe3d673f8c371af2…

MALICIOUS

Office (OLE)

616.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint
MD5: 457d91544d40c60ff4941b4fb5cc24b1 SHA-1: b584793f37747835751899650a8e952d443a080f SHA-256: fe3d673f8c371af219df37758b3d93ddcbb5023710e15a4ac894b2936ca2ba2a
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols T1105 Ingress Tool Transfer

The sample is a PowerPoint file that exhibits malicious behavior. High-severity heuristics indicate the presence of code designed to resolve API functions like VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used for downloading and executing second-stage payloads. The file's structure and the heuristics suggest it's likely a downloader or dropper. No specific family could be confidently identified.

Heuristics 6

  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.