Malicious Office (OLE) / .PPS — malware analysis report

Static analysis result for SHA-256 81a08238662a58e0…

MALICIOUS

Office (OLE) / .PPS

818.5 KB
MD5: be2a9cfcd300e89ce47a2a39bb1fd2b6 SHA-1: 49eea01aaa9808e324574a62a76826842e7f5c5e SHA-256: 81a08238662a58e0d00e8ee3f9e05bb36f4184c324e2cf8d38a6729680f359a9
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious PowerPoint slideshow containing a VBA macro with an AutoOpen subroutine. This macro is designed to launch an Excel application and open a specified Excel file, 'chemin_du_fichier.xls'. The presence of CreateObject calls and PEB access heuristics further indicate malicious intent, likely to execute a second-stage payload from the Excel file.

Heuristics 4

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1005 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.