Office (OLE) / .PPT malware analysis — malicious · 7e2d45390f8404cc

MALICIOUS

Office (OLE) / .PPT

58.0 KB Created: 2021-06-28 17:22:58 Authoring application: Microsoft Office PowerPoint

MD5: fd1ff7f1c79aeada5a01677a77406723 SHA-1: a8b39460a18710250daf0096164bc5560e5beb75 SHA-256: 7e2d45390f8404cc8cfa9e2334d45f9aac4acdfbb6265a0c2fb653c3c8042628

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 Command and Scripting Interpreter T1071.001 Application Layer Command and Scripting

The VBA macro contains a `Shell()` call that executes a URL. The URL itself contains obfuscated strings, suggesting an attempt to evade detection. The `auto_close` macro, combined with the `Shell()` call, indicates a macro-based downloader attempting to execute a command. The `Replace` function suggests an attempt to obfuscate the URL. The document's purpose is likely to download and execute a secondary payload.

Heuristics 4

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `e647a977534237c696af07ed9ec1327b9d4a043175d48f6bdd37a5fec8728f62`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3747 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.