Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 1dbc72cdc4dd1df8…

MALICIOUS

Office (OLE) / .PPT

76.0 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint
MD5: 61bd1fcd5fcc5bb7f14013763b7c9585 SHA-1: 9ce0f504663e33ff870a406a32ddc86791b9fdda SHA-256: 1dbc72cdc4dd1df8d2853ee75cbca7d0872469deb739234bb51d1291074c00c1
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file is a PowerPoint presentation containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the Auto_Close macro suggests this malicious code executes automatically when the presentation is closed. The VBA p-code auto-execution with execution tokens further supports this. The exact command executed by Shell() is not directly visible in the provided evidence, but its presence strongly suggests the download and execution of a secondary payload.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fe903987a66672fd33eb7860de3144922cc75cb6626518bae52ce16b78c98daa		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.