Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 b6630e97f641ab8c…

MALICIOUS

Office (OLE) / .PPT

74.5 KB Created: 2022-06-13 21:34:52 Authoring application: Microsoft Office PowerPoint First seen: 2022-06-14
MD5: e382eca2df3dd692c368b099b6b44b94 SHA-1: c1a8c0059e0bb2d76a22afb253117487a01f4425 SHA-256: b6630e97f641ab8c4888a81e7819b9f75ce7c54eb3e7fe02ef794d1b5721a24f
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The critical OLE_VBA_SHELL heuristic indicates that the VBA macros within this PowerPoint file attempt to execute commands. Specifically, the Auto_Close macro triggers a call to the Shell() function, which is often used to download and execute further malicious content. The reference to mshta.exe further supports the likelihood of command execution. The VBA code concatenates strings to form a command, but the exact command and its target are not fully reconstructible from the provided snippets.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d6951e6da0a7a087afa47595346d7a6fc60b572eea8fff0c880d230d299a64d2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1567 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.