MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1204.002 Malicious File
The file is identified as malicious by ClamAV with the signature Ppt.Exploit.Apptom-10029459-0. Static analysis detected VBA macros, specifically an AutoOpen macro and a CreateObject call, indicating an attempt to execute code upon opening the presentation. The presence of PEB access and API hash resolution suggests sophisticated evasion techniques. The document body contains garbled text and a master slide title, but no clear user-facing lure.
Heuristics 7
-
ClamAV: Ppt.Exploit.Apptom-10029459-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ppt.Exploit.Apptom-10029459-0
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1005 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.