Office (OLE) / .PPT malware analysis — malicious · 71ba20bdd899fde2

MALICIOUS

Office (OLE) / .PPT

81.0 KB Created: 2021-07-16 10:44:52 Authoring application: Microsoft Office PowerPoint

MD5: 059e79d36927bb230e90376aa7528015 SHA-1: 2448b57e97a917d01993c89b901ad2c21d413792 SHA-256: 71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The presence of an Auto_Open macro and VBA macros indicates a malicious document designed to execute code. The script constructs a URL 'https://www.bitly.com/eyuiqwhdbkmasbdma' which is likely used to download and execute a second-stage payload. The reference to CreateProcess API further supports the execution of external processes.

Heuristics 4

ClamAV: Ppt.Malware.Agent-9879341-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Ppt.Malware.Agent-9879341-0
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `107e42ce9ab27805b324add0b4fa7970ff418de00bc9efecd0245509f8b4dfcd`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5677 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.