Office (OLE) / .PPT malware analysis — malicious · 28fe0643a796cc46

MALICIOUS

Office (OLE) / .PPT

404.5 KB Created: 2005-03-01 15:58:04 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-10

MD5: 20c10df33f44e932cb8a0a4de87ff150 SHA-1: f6dc0102f7c6a9747a868549b47bccdf06cce69f SHA-256: 28fe0643a796cc4664d3f8dcba5a2571db02b6abca2edce9228d811d3e8789fa

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1105 Ingress Tool Transfer T1547.001 Registry Run Keys / Startup Folder

The file is a PowerPoint presentation containing educational content about malware analysis. Notably, it includes script examples that demonstrate potentially malicious actions. One script uses WScript.CreateObject("Scripting.FileSystemObject") to create folders and files, and another uses Wscript.CreateObject("Wscript.Shell") to write and read registry keys, specifically demonstrating persistence via 'HKCU\MyRegKey\' and 'HKCU\MyRegKey\Sec\'. Although the content appears educational, the embedded scripts showcase techniques used by malware for file manipulation and persistence.

Heuristics 2

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.