Office (OLE) / .PPS malware analysis — malicious · 4fe7aec8c3f4aac2

MALICIOUS

Office (OLE) / .PPS

818.5 KB

MD5: 74cf5f5f300d49baf141d9058a610edb SHA-1: 4ca1135d2ae30bc06368e4b7487d72c662606e34 SHA-256: 4fe7aec8c3f4aac286ad078cf86ba1dc0262ac13e3b74ffd8959d2102a036d6c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic for Applications T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is a PPS (PowerPoint Show) document containing VBA macros, indicated by the OLE_VBA_MACROS and OLE_VBA_AUTOOPEN heuristics. The AutoOpen macro is designed to execute automatically when the document is opened. The DOC BODY, though heavily garbled, suggests a lure to click and enable macros. The macros.bas file is the source of this malicious behavior. The PEB access heuristic suggests the macro may be attempting to evade detection.

Heuristics 5

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1005 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.