Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 4ddf3a1e7b283ecc…

MALICIOUS

Office (OLE) / .PPT

68.5 KB Created: 2021-04-06 09:40:07 Authoring application: Microsoft Office PowerPoint
MD5: 4197a6f162139ab98e2219407854a6d6 SHA-1: ab7d8e1a842cac16efa33665aaf2785ba30d2d7a SHA-256: 4ddf3a1e7b283ecc18d243c37e60b7c08d1e72a37b041b55e38ede666cc5decf
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The presence of VBA macros, specifically an Auto_Close macro and a GetObject call, indicates malicious intent. The Auto_Close macro is designed to execute automatically when the presentation is closed, and the GetObject call is often used to instantiate and run malicious objects. This combination suggests the file is a dropper or downloader that executes a secondary payload.

Heuristics 4

  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
9d01c7045b31828c37461eb1f829e9c9c8fa6fa7ae2a64f4dd410f8c6c80e4a9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1759 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.