Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 698a53626b14517c…

MALICIOUS

Office (OLE) / .PPT

79.0 KB Created: 2020-09-13 18:57:23 Authoring application: Microsoft Office PowerPoint
MD5: 70f2f55ad6d4b335adccdcf8fbdce672 SHA-1: d5705f7ebca15fd46861ba07767c08a1bf3b68c2 SHA-256: 698a53626b14517cf25bafabba104f368778b981e24875843e38e364cf30a155
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a PowerPoint file containing VBA macros. The Auto_Close macro is configured to execute a command via the Shell() function. The script attempts to construct a command string by concatenating various variables, including 'potaka1' and 'pogata1', which likely resolve to a malicious executable or script to be downloaded and run. The presence of the Shell() call and the Auto_Close trigger strongly indicates an attempt to execute arbitrary code.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Malware.W2000m-9775797-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.W2000m-9775797-0
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
43777ffc0708b5e2418574f6ae3ec93b75dd40b6fe95db0d004beea253a1476d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2334 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.