Malicious Office (OOXML) / .PPTX — malware analysis report

Static analysis result for SHA-256 3fff8c76c5303094…

MALICIOUS

Office (OOXML) / .PPTX

1.46 MB Created: 2009-08-28 16:40:26 UTC Authoring application: Microsoft Office PowerPoint 16.0000 First seen: 2026-05-13
MD5: d054b4bf740129580705da311534ab38 SHA-1: e095da428b2e39ae019636c068277c3a3c4145ad SHA-256: 3fff8c76c530309455efdd96043378112a86341ca32aa732a5ef7605bbd7d461
78 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The sample contains external hyperlinks and relationships pointing to internal J.P. Morgan network paths and an external URL, suggesting an attempt to trick the user into interacting with malicious content. The presence of an embedded OLE object and call-to-action shapes further supports a social engineering attack. The document body itself appears to be a financial outlook report, which could be used as a lure to disguise the malicious intent.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in ppt/charts/_rels/chart1.xml.rels: file:///\\NAEAST.ad.jpmorganchase.com\amerib$\GR\RESDATA5\aquadrani\David\Agency\Agency Multiples.xlsx
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (5) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 5 external hyperlinks — clickable URLs are stored as external relationships. First target: mailto:alexia.quadrani@jpmorgan.com
  • Call-to-action shape / download button low OOXML_DOWNLOAD_SHAPE
    Document drawing contains a call-to-action phrase ('Click Here', 'Download Now', etc.) inside a shape or text box — a common visual lure used to trick users into enabling macros or visiting a malicious URL
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.netroadshow.com/events/login?show=f56fa483&confId=73280 Document hyperlink
    • http://www.jpmm.com/Research/MultimediaDocument hyperlink
    • http://www.iec.chDocument hyperlink

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Microsoft_Word_Document.docx 10357 bytes
SHA-256: bada0f0127b479f404652e25d67f84f7748230025a92089cfa65cf927f9001b6
emf_00.emf ooxml-emf OOXML EMF part: ppt/media/image8.emf 199004 bytes
SHA-256: 2f42a8d43a3fbaa8ffd22deabe2ffd881a7de7d6c6c9283e8f34557186214c42
emf_01.emf ooxml-emf OOXML EMF part: ppt/media/image9.emf 110844 bytes
SHA-256: 76084e85b357e1fdd5b597ab6dd5ec5f8c84f9acb82e8eda03324e63db85528f
emf_02.emf ooxml-emf OOXML EMF part: ppt/media/image10.emf 13928 bytes
SHA-256: 9bdc3f13ee19f8cb6b71c48db3e076da097cbeb32dfd6797ede2ce1490f17fb9
emf_03.emf ooxml-emf OOXML EMF part: ppt/media/image7.emf 83340 bytes
SHA-256: 4092793d42b682d5ecb2800416cc9cdcdb03aae14d500cc58a83577faca89a76
emf_04.emf ooxml-emf OOXML EMF part: ppt/media/image21.emf 47292 bytes
SHA-256: 4f1995766f7aa61eb87d86e408c4a6dae9e370dafa2a91e0c8aee43a7b053177
emf_05.emf ooxml-emf OOXML EMF part: ppt/media/image22.emf 136744 bytes
SHA-256: a354d47461c0fa5b465d3956d50191128650f18c868bdfbaddd95193070082e2
emf_06.emf ooxml-emf OOXML EMF part: ppt/media/image23.emf 84732 bytes
SHA-256: 737d4ab9f8a93e60e3a3006bc6c69d61fcae630df5afa3be001b64795d53788a
emf_07.emf ooxml-emf OOXML EMF part: ppt/media/image17.emf 11224 bytes
SHA-256: e82c408f42f25b0f81d9ff743c10afdb9487f5e570b372418ebd5690521e0c1e
emf_08.emf ooxml-emf OOXML EMF part: ppt/media/image18.emf 906228 bytes
SHA-256: e1628baefbc580adbea81db5fdcef66d53b8846006f502c461a3df0b682b0fab
emf_09.emf ooxml-emf OOXML EMF part: ppt/media/image19.emf 5956 bytes
SHA-256: cb87fb2e87278df48d69ba86e6cb51dc971b88997bfa12d889056d4a082e382d
emf_10.emf ooxml-emf OOXML EMF part: ppt/media/image20.emf 10648 bytes
SHA-256: 70fc63ce2c4a6abb5198eff198a5249bc8b742ee3bfb817a7ab7394a2f18da78
emf_11.emf ooxml-emf OOXML EMF part: ppt/media/image2.emf 79692 bytes
SHA-256: d4ca840a9e40ef338b5a91d0b2a89342eb6c50b869efc4d34fe20f5451375df7
emf_12.emf ooxml-emf OOXML EMF part: ppt/media/image3.emf 79692 bytes
SHA-256: 0edc44df77e376c0e64fa78f1195e634bbd8a9e3267b0560de88dee2acce521e
emf_13.emf ooxml-emf OOXML EMF part: ppt/media/image4.emf 133108 bytes
SHA-256: e4c64f74308e73bc1add653d9bcedbbd3909d5b00ae78a80ccadf237f160bf05
emf_14.emf ooxml-emf OOXML EMF part: ppt/media/image5.emf 229392 bytes
SHA-256: a53cbb43deb9a254da57c7e2d9ea35d64c8a09dc904dcbe7295f510ae0db24a0
emf_15.emf ooxml-emf OOXML EMF part: ppt/media/image6.emf 19896 bytes
SHA-256: 8cef498dceb2874a743d113462a8de4a864ba8ad0cac72f6ea09d5598d48b9da