Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 27f550d8d6c287f8…

MALICIOUS

Office (OLE) / .PPT

315.5 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint
MD5: 1ae5743d50319e40ca37aa5b825e5ff1 SHA-1: acb2ea18d768f867ceed494b7224584dfb2bed5f SHA-256: 27f550d8d6c287f856de397c73f297447d423ff2bfaaaa12b06d7dc84e5908ff
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is a PowerPoint presentation containing VBA macros. A critical heuristic firing indicates the use of the Shell() function within a VBA macro, specifically within an Auto_Close routine. This suggests the macro is designed to execute an arbitrary command upon closing the document. While no specific URLs or hashes were extracted, the presence of Shell() and Auto_Close strongly implies a downloader or initial execution stage for further malicious activity.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
cdf11e9ecfc0310ef72aa9f0f8f2719c63036de1098a9f19c8d4ca5f1fa03840		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 803 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.