Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 53dcc6b98d2356c9…

MALICIOUS

Office (OLE) / .PPT

67.5 KB Created: 2021-04-06 09:40:07 Authoring application: Microsoft Office PowerPoint
MD5: 942a6f8fe49e0bf3cec399c7e39600b7 SHA-1: 7061c673466d29ee92fa9b71b3479a0572152740 SHA-256: 53dcc6b98d2356c9a5f68b314edb8b819b99cec4ef2f6db0cfba72fb86a55d25
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The file is a PowerPoint presentation containing VBA macros. Critical heuristic firings indicate the use of the Shell() function within an Auto_Close macro, which is a common technique for executing arbitrary commands. The 'VBA p-code auto-exec with execution tokens' firing further suggests that the macro is designed to run automatically upon opening or closing the document. While no specific URLs or hashes were extracted, the presence of these indicators strongly suggests the macro is intended to download and execute a secondary payload.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
96906ac94e7e2c0a8b22c11025e436402d5cab5f2cd6da5500ae11f5858b297e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1141 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.