Office (OLE) / .PPT malware analysis — malicious · 30a9c4190942560c

MALICIOUS

Office (OLE) / .PPT

369.5 KB Created: 2021-02-24 19:36:33 Authoring application: Microsoft Office PowerPoint

MD5: 672ff0e77cdb80f3c602154c1b0b9c11 SHA-1: 8da1cb475a8e4b4100013f2c0a3e0537a22bfdfd SHA-256: 30a9c4190942560c6c63cf18f8990a0d129b9239a4288d2f9c2eb64e63c509bb

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic

The sample is a PowerPoint file identified as malicious. Static analysis detected VBA macros and a specific reference to PowerShell within the VBA code. The presence of 'macros.bas' and the PowerShell reference strongly suggest the macros are designed to execute a secondary payload, likely via PowerShell. The embedded URL was confirmed benign, so the primary IOC is the macro file itself.

Heuristics 4

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d10745e5c2f4ab2b57e923226d2c652ad0bc6f66e4172e2d2ce7b12a43f62307`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1218 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.