Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 496237726cd64b44…

MALICIOUS

Office (OLE) / .PPT

74.0 KB Created: 2020-10-19 22:07:16 Authoring application: Microsoft Office PowerPoint
MD5: 9e696b828a2757012a5ab00c43899730 SHA-1: 87ba36cf5356cc4ec3f185452eb04a2f98190b6a SHA-256: 496237726cd64b44b246dcd3510ce666e10276fb92ec362b45038dd360ba2c07
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a PowerPoint file with a high-confidence detection for VBA macros. Specifically, the presence of an Auto_Close macro and a CreateObject call indicates that the macro is designed to execute code automatically when the presentation is closed. The VBA p-code auto-execution further confirms this malicious intent. No specific IOCs like URLs or hashes were extracted, but the macro's functionality suggests it likely downloads and executes a second-stage payload.

Heuristics 4

  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a1bd7d1d67409f8bf4ac2573e499a75b819b0eda8727445e804bb884783bcc17		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1661 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.