Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 cd4795a3b3a49877…

MALICIOUS

Office (OLE) / .PPT

128.0 KB Created: 2025-01-02 08:47:01 Authoring application: Microsoft Office PowerPoint
MD5: 0f4f32b97c7bde0824b0fd27fe3ec4b0 SHA-1: cd9436df767da50f1bcd9a3a40dacc7a40f1b662 SHA-256: cd4795a3b3a4987737dedf57b5964bbbd96df4d1afd99ccdcc374cc7588dacf4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The presence of an Auto_Open macro in a PowerPoint file is a strong indicator of malicious intent. The macro likely executes arbitrary code, potentially leveraging the VirtualAlloc API as suggested by the heuristic firing. Without further script content, the exact payload and delivery mechanism remain unknown, but the initial execution vector is clear.

Heuristics 3

  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
e922116fe6dc474c3a2f4dfbf297c3420bc2994d86faa0606778fe9658136ecc		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.