Malicious Office (OLE) / .B — malware analysis report

Static analysis result for SHA-256 9045c3859d1e8fcd…

MALICIOUS

Office (OLE) / .B

14.5 KB Created: 1998-12-14 14:40:54 Authoring application: Microsoft PowerPoint
MD5: 20b7aedfb525337e083061fafdbc7cef SHA-1: c094d890a59d09fcaf7236be2129884d92158507 SHA-256: 9045c3859d1e8fcd1705a1286f628cb2e29cb3087fe5e00b18567a54902f9e08
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Win.Trojan.PP97M-7, indicating it is a known trojan. Static analysis detected VBA macros within the PowerPoint file, which are commonly used to download and execute additional malicious content. The presence of these macros and the ClamAV detection strongly suggest an attack pattern involving macro-enabled document delivery.

Heuristics 3

  • ClamAV: Win.Trojan.PP97M-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-7
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
11541290a29cf82efe4fbb874bc893f8c513337f9d3ca8d5eb773d3b043fd013		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3330 bytes
Detection
ClamAV: Win.Trojan.PP97M-7
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.