Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 730791498e622e20…

MALICIOUS

Office (OLE) / .PPT

81.0 KB Created: 2021-07-18 18:49:40 Authoring application: Microsoft Office PowerPoint
MD5: fb68f8be8c75736c63464b924ff7c33b SHA-1: 6546c3af939be5e2a2bce5c03a8d89ec562665f6 SHA-256: 730791498e622e20755f6b0100dd78dc66fd2e99f85aecf1d55626960c1260de
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The presence of an Auto_Open macro and a reference to the CreateProcess API indicates that this PowerPoint file is designed to execute malicious code upon opening. The VBA script attempts to construct a URL by concatenating strings: "msh" + "ta " + "http://www."+ "bitly.com/tyuwqghwqbsvaklajsmk", which is then passed to a function that likely downloads and executes a payload. This behavior is consistent with a macro-based downloader.

Heuristics 3

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2d00ad9f7538aa9a54e9039fdd6b3d3669d792c509d190710e299d28129bf512		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 5644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.