Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 38f8b09aaad2db0e…

MALICIOUS

Office (OLE) / .PPT

128.0 KB Created: 2025-01-02 08:47:01 Authoring application: Microsoft Office PowerPoint
MD5: 3aa3949a10e50d1b6c2eab8b2b8268aa SHA-1: 12863c65d45a1026b27d7ee22a2ef4fca73dbfa2 SHA-256: 38f8b09aaad2db0ebc4a4cbf2acdaa2b55e17f149b9834e80e476a39755318d2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The presence of an Auto_Open macro indicates that the VBA code within this PowerPoint file is designed to execute automatically when the presentation is opened. The heuristic firing for VirtualAlloc suggests the macro likely allocates memory to run shellcode or download a secondary payload. Without further script content or network indicators, the exact nature of the payload remains undetermined.

Heuristics 3

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e922116fe6dc474c3a2f4dfbf297c3420bc2994d86faa0606778fe9658136ecc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.