Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 72b86bcd26c86d7b…

MALICIOUS

Office (OLE) / .PPT

66.5 KB Created: 2021-04-25 20:30:06 Authoring application: Microsoft Office PowerPoint
MD5: ac619f9bdc3d2155daa18244fec30096 SHA-1: af56c2fc1a8f421edaa28964cd22307d124c7c64 SHA-256: 72b86bcd26c86d7becd2a677b350f497913309b7e3a7e14f77e1e335f516c378
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.005 System Binary Proxy Execution: Mshta T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an Auto_close macro, which is designed to execute code upon opening. The critical Shell() call within the VBA code, combined with the heuristic firing for LOLBin mshta.exe, indicates an attempt to launch mshta.exe with a URL. This is a common technique for downloading and executing further malicious content. The benign reputation of the extracted URLs does not negate the malicious intent indicated by the macro execution.

Heuristics 7

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.j.mp/bdkmasbdmkasbdhsagbdhsagbd
    • http://www.google.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
8ae49e0c85b705fa3372196052199237f8bc8131adf0157d4ea96441faee557e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 954 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.