Office (OLE) / .PPT malware analysis — malicious · 31b778e638228663

MALICIOUS

Office (OLE) / .PPT

174.0 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint

MD5: 98bbaeaf43888fa091881be138c9fac6 SHA-1: 419c3f31bdbcc1cbdc8ec59ef348eae064c8f050 SHA-256: 31b778e63822866333cd9ca6aeca6ea1b85c4b579c9f5a0b01c6bd294bd5e0cb

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell

The sample is a PowerPoint file containing a malicious VBA macro. The Auto_Close macro is configured to execute a command using the Shell() function, which is a critical finding. The macro source is 40733 bytes, indicating a complex script. The embedded URL was confirmed benign, so the primary IOC is the Shell() call itself. The macro's intent is to execute arbitrary commands on the system.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://1230948%1230948@j.mp/jasfasdplasdplokasdpljjjj

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `193e01d87efc439cfc7d3aaa7f7a01dc9968d7aa478807073efa670e9caf1c26`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40733 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.