Office (OLE) / .PPT malware analysis — malicious · 687b4f8d3d1fd265

MALICIOUS

Office (OLE) / .PPT

66.5 KB Created: 2022-07-06 21:24:46 Authoring application: Microsoft Office PowerPoint

MD5: c03d842ed49fb228222f3da8ac97da8c SHA-1: 37900bc59ceed04d023f5d266842cdfa45bb6a8f SHA-256: 687b4f8d3d1fd26516db36976a0b123d7b05cf3ee4a9555f4b159a0a92e96a5f

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a PowerPoint file containing a VBA macro that executes a shell command. This command uses mshta.exe to download and execute a payload from the provided URL. The Auto_Close macro is designed to run automatically when the document is closed, facilitating the execution of the malicious payload.

Heuristics 5

Reference to mshta.exe high SC_STR_MSHTA

Reference to mshta.exe
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://bitbucket.org/!api/2.0/snippets/rikimartinplace/rEqngB/b1f4b998fc53d3a2df082dc9b3a366447e03fcc8/files/gibsonfinal

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `85f05615ff51ff5b42cd23d1ecdc17db57ac0ba3e61340c6bdc781ba23b93078`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	890 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.