Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 7721fa12ed38f464…

MALICIOUS

Office (OLE) / .PPT

367.0 KB Created: 2021-02-24 19:36:33 Authoring application: Microsoft Office PowerPoint
MD5: 6a6b5f154b38076e2c81ce3aa4cd92a4 SHA-1: ed92169a72358e50186cfbd8c2340d376b394f99 SHA-256: 7721fa12ed38f464726a914d6807cd97cbcd9a1927a1b63c16ac805d4f2039de
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The VBA macro contains a reference to PowerShell and uses the WinExec API to call it. The PowerShell command is constructed by concatenating strings to form the URL 'https://bit.ly/2NDvCOG', which is then used to download and execute a second-stage payload. This indicates a typical macro-based downloader attack pattern.

Heuristics 3

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d10745e5c2f4ab2b57e923226d2c652ad0bc6f66e4172e2d2ce7b12a43f62307		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1218 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.