Malicious Office (OLE) / .ATT — malware analysis report

Static analysis result for SHA-256 e98e384655dce867…

MALICIOUS

Office (OLE) / .ATT

28.5 KB Created: 1998-12-09 10:33:06 Authoring application: Microsoft PowerPoint
MD5: 2348ba8a39e349fd17247400e1b97078 SHA-1: ef59a8f64ae906ec5fb0cf49aa8fbeb396666b8d SHA-256: e98e384655dce867a9afad88d2f47e5fab1453eca6d3a0ef6cdeb3aa044ec74b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a PowerPoint document containing VBA macros, as indicated by the OLE_VBA_MACROS heuristic. ClamAV detections (Win.Trojan.PP97M-7) on both the main file and an extracted artifact confirm its malicious nature. The document body consists of generic PowerPoint template text, suggesting a lure to enable macros. The specific intent of the macros could not be determined due to the absence of a SCRIPTS section, but the presence of VBA macros in a malicious PowerPoint file strongly suggests a delivery mechanism for further malicious payloads.

Heuristics 3

  • ClamAV: Win.Trojan.PP97M-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-7
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
d8672b3dc6367bf7fa186bb235af77926552158924876be62b70da8016f80a63		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1768 bytes
Detection
ClamAV: Win.Trojan.PP97M-7
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.