Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 d8d7dd0121f4631f…

MALICIOUS

Office (OLE) / .PPT

92.0 KB Created: 2006-08-16 00:00:00 Authoring application: Microsoft Office PowerPoint
MD5: b74d5e7acbd23c37bb546e31416c9d5e SHA-1: c304118bec45bd8aead6c0c6407cb7254117d5f3 SHA-256: d8d7dd0121f4631f2c59056dbcec6fc7b55051145563ea17a5442104eb5b748c
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell

The sample is a malicious PowerPoint file containing VBA macros. The presence of an Auto_Close macro and a Shell() call within the VBA code indicates that the macro is designed to execute arbitrary commands upon closing the presentation. This is further supported by the 'VBA p-code auto-exec with execution tokens' heuristic. The ClamAV detection also confirms its malicious nature. No specific IOCs like URLs or hashes were extracted, but the technique used is common for delivering secondary payloads.

Heuristics 5

  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • ClamAV: Doc.Malware.W2000m-9775797-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.W2000m-9775797-0
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a09efce354e3686651bc76573354b06e0c729d4e8bcbff8516d28fa0b519dbe9		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.