Office (OLE) / .PPT malware analysis — malicious · 85726c464537704b

MALICIOUS

Office (OLE) / .PPT

152.0 KB Created: 2021-01-25 21:43:43 Authoring application: Microsoft Office PowerPoint

MD5: 5bed92a7cc9d31fb247d6b1f8d4c8a45 SHA-1: 88f0cf9de54b73bf582f2270b502f7a41165b066 SHA-256: 85726c464537704be01a5b57aedd4708cb803518b748068f5b180261126ddd57

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains obfuscated VBA macros that are triggered by the Auto_Close event. These macros utilize the Shell() function to execute a command. The script reconstructs a URL from concatenated strings, which is then likely used to download and execute a second-stage payload.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `42bc74415078e61e611dfa7627cf3e740caff4578df202323678c202d8def86f`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.