Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 72dbd0d45cca6533…

MALICIOUS

Office (OLE) / .PPS

818.5 KB
MD5: 66b926f0646ffbbffc08987f5ca21b37 SHA-1: 71a9d40386ac3d9318282547628b558698d056fc SHA-256: 72dbd0d45cca6533332d5fcdf63b159d0d54833d095a14f83f6d15ef5405045f
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious PowerPoint file containing VBA macros. The AutoOpen macro is designed to open a specified Excel file and then execute a macro named 'valider' from 'feuil2' within that Excel file. This suggests a multi-stage attack where the PowerPoint acts as a loader for a malicious Excel payload. The PEB access heuristic further indicates suspicious behavior related to process introspection.

Heuristics 4

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1005 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.