Office (OLE) / .PPS malware analysis — malicious · c5161323d4639739

MALICIOUS

Office (OLE) / .PPS

818.5 KB

MD5: 82a7631929f6d5aaad61ea267e8319f4 SHA-1: 5bd8f1d7596c919c8093732c803940da322ae923 SHA-256: c5161323d4639739f7d6f848825b590a6ce9b887e0fe6525fd801122a3db50bd

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a PPS file containing VBA macros, specifically an AutoOpen macro, which is a common delivery mechanism for malware. The presence of a CreateObject call and PEB access suggests the macro is designed to execute code. Although the document body is unreadable, the heuristics indicate a high likelihood of malicious macro execution, likely for downloading and running a second-stage payload.

Heuristics 5

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1005 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.