Malicious Office (OOXML) / .PPTX — malware analysis report

Static analysis result for SHA-256 6940e671332dc30c…

MALICIOUS

Office (OOXML) / .PPTX

771.8 KB Created: 2023-04-26 18:23:33 UTC Authoring application: Microsoft Office PowerPoint 14.0000
MD5: 8174cd78246d0f2f676ac3304e7d0363 SHA-1: ee624ffb256e39b2d384851bd99af06da2e27824 SHA-256: 6940e671332dc30c524c8d856f980a7dc52c08121a54213599a3540d47a82785
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1137.001 Office Application Native API

The file is a PowerPoint document containing an embedded OLE object which, in turn, contains a VBA macro. This macro is highly suspicious and likely serves as a loader for malicious content. The embedded OLE object and the presence of a VBA macro strongly suggest an attempt to execute malicious code, commonly used for downloading further stages of an attack.

Heuristics 3

  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8168163fc8e5b562a6ea8f2317f98a57d99b1ea62bd3dda067eb96e8e58d0e8b		 ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject4.bin 4608 bytes
ooxml_oleobject_01.bin
45c1773187cdfcd5f5e110591b07b54f55bdac196aa685226cb1061ca391ae4a		 ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Planilha_Habilitada_para_Macros_do_Microsoft_Excel1.xlsm 56774 bytes
ooxml_oleobject_02.bin
8d801bd0c177a0619f661c8e33131456b7a9ca256cf76ebfaa0e68cc887ea5c1		 ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Planilha_Habilitada_para_Macros_do_Microsoft_Excel1.xlsm!xl/embeddings/oleObject1.bin 162816 bytes
ooxml_oleobject_02_ole10native_00.bin
a0997e4d1440b60577496e486c49c32db8897e6b07ded94cd1593ded23f237f6		 ole-package OOXML ppt/embeddings/Planilha_Habilitada_para_Macros_do_Microsoft_Excel1.xlsm!xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 158532 bytes
ooxml_oleobject_03.bin
de28aa9b082683638f2c742b7039027c431b4259e01351a68e977364ffd0a809		 ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Planilha_do_Microsoft_Excel4.xlsx 79564 bytes
ooxml_oleobject_04.bin
fc8fa929d6be111712cfdf440720d2891291e08423d6378faad44210e193421f		 ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Planilha_do_Microsoft_Excel3.xlsx 79518 bytes
ooxml_oleobject_05.bin
a91fe8c39debd5a88b29de25327da4078bd588f14f7f50fb37e7d6bc4af77975		 ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Planilha_do_Microsoft_Excel2.xlsx 17415 bytes
emf_00.emf
a4e9862dee0ca79de19a733c2f3ad0f630ce21766f8fb47ef3669bfc510e20ce		 ooxml-emf OOXML EMF part: ppt/media/image7.emf 5372 bytes
emf_01.emf
ec7165a53306447594e85fe309c08f79ab918a6c9a7157554b4f331737961764		 ooxml-emf OOXML EMF part: ppt/media/image6.emf 8068 bytes
emf_02.emf
da25363a8a21939869d89fa2bed9b42ba37836d439c83db3f4d10ca98a45d54c		 ooxml-emf OOXML EMF part: ppt/media/image4.emf 192 bytes
emf_03.emf
0496913355ccd93c9c6d8bcf38244bc70ecc8c9a334a6be321bd710418171472		 ooxml-emf OOXML EMF part: ppt/media/image8.emf 5360 bytes
emf_04.emf
04b84e640dfbc7eb5712f0b99a870eff2feb2f2277722a2e06975d9ebce38b9b		 ooxml-emf OOXML EMF part: ppt/media/image9.emf 5384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.