Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 cb5e712281cc1223…

MALICIOUS

Office (OLE) / .PPT

161.0 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint
MD5: 31f76731ced0050f3fd008eb0e7432cd SHA-1: 1617583192527c571bf684e9ad697addce265da3 SHA-256: cb5e712281cc1223141d7b026a6b9ce190bc89a1aae5ab9da1e640bda60a6bca
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell

The file is a PowerPoint presentation containing VBA macros. A critical heuristic firing indicates the use of the Shell() function within a VBA macro, specifically within the Auto_Close macro. This suggests the macro is designed to execute arbitrary commands when the presentation is closed. No specific URLs or network indicators were extracted, and the document body did not contain user-facing text. The VBA p-code auto-execution with execution tokens further supports the malicious intent of automatically running code.

Heuristics 4

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
95082fe0102ede6b385edf62119712a3ca96973e38e954a4d315e1ecf96c0d7c		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 33716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.