Win.Dropper.Agent-30182 Office (OLE) / .PPS malware analysis — malicious · 3bb1d1d441ab7412

MALICIOUS

Office (OLE) / .PPS

818.5 KB

MD5: 71803d893ed7d052fdb58f10da200fe9 SHA-1: 6b7fc67382ba6985bd41784e85e1c5df6dffa6bc SHA-256: 3bb1d1d441ab7412ca429ec2db6dbcf48e2b19323bf589d37698e76dc305044f

240 Risk Score

Malware Insights

Win.Dropper.Agent-30182 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious PPS file containing VBA macros, specifically an AutoOpen macro, which is a common technique for executing malicious code upon opening. The ClamAV detection of 'Win.Dropper.Agent-30182' strongly suggests its nature as a dropper. The presence of the 'macros.bas' artifact indicates that the VBA code is likely responsible for downloading and executing a second-stage payload.

Heuristics 6

ClamAV: Win.Dropper.Agent-30182 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.Agent-30182
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1005 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.