Play interactive tour

Edit tour

Analysis Report test.ppsm

Overview

General Information

Sample Name:	test.ppsm
Analysis ID:	428845
MD5:	99a4963b54d93b286ff5de714c7f5010
SHA1:	66fb2a56df63e96af7b43b843a918370a8763147
SHA256:	61af0a3d3d4d9b0a52b94b96830adc7bbe000f626c02c8914b001c155e90d9da
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Classification

Process Tree

System is w7x64

POWERPNT.EXE (PID: 1948 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\550AD343.png

Jump to behavior

System Summary:

Document contains an embedded VBA macro which may execute processes

Show sources

Source: test.ppsm

OLE, VBA macro line: wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: test.ppsm	OLE, VBA macro line: Dim wsh As Object: Set wsh = VBA.CreateObject("WScript.Shell")
Source: test.ppsm	OLE, VBA macro line: Open Environ("temp") & "\art1204.bat" For Output As #1
Source: test.ppsm	OLE, VBA macro line: wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Malicious_File, String wscript: Set wsh = VBA.CreateObject("WScript.Shell")	Name: Malicious_File
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Malicious_File, String environ: Open Environ("temp") & "\art1204.bat" For Output As # 1	Name: Malicious_File
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Malicious_File, String cmd.exe: wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus	Name: Malicious_File

Source: classification engine

Classification label: mal48.expl.winPPSM@1/11@0/0

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\Desktop\~$test.ppsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC7E0.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems

Jump to behavior

Source: test.ppsm

Static file information: File size 4802837 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	Path Interception	Path Interception	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting2	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
test.ppsm	2%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	428845
Start date:	03.06.2021
Start time:	08:16:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	test.ppsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.expl.winPPSM@1/11@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .ppsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll Report size getting too big, too many NtCreateKey calls found. Report size getting too big, too many NtSetValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43446C68.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	PNG image data, 1878 x 755, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1322914
Entropy (8bit):	7.996917351180822
Encrypted:	true
SSDEEP:	24576:Rq14kFRl5w3G51t8I4IU1UnBcv4k1dpnrwitv5b7bVz58bkE3891:wLRoI4Ix04kz+ih5PbVz58bR3s
MD5:	C64F21CF0722F454EB1E209D0CAD6150
SHA1:	0240B2FC1615AD3012CA08BF8FFEC0A9C99A13AB
SHA-256:	FC7CCBE840516D060F385D931BE288D7481E5FE11BF0B5C3BC4E4F003677F61D
SHA-512:	6115CC387B2A83C3F9ACC4CF6ACE130A4328A84DB1382919B476F336B3780430E81FAD9216E170E4944AAE2AEFD1D30907181FAFB73D5E4E7C4466EF0D4FAC89
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...V.........-ArW....sRGB.........IDATx^..k.}[......_....jc..v.c.n.P.&(.t...(."P.P"b.B.J.y..)..K,%......BQ..%8.D.M.........vL7u..:.\|.......U..y{.N.Z{.9.....x.\s....x.?...^..W..._..W?...{..+..x.?..O;}....\|....\|....\|....\|....\|....\|....\|....\|....\|....<!....}....}....?..G.......>.....P}...?..[_\|./.......6...O....O....O....O....O....O....O....O....O....O....._......w..........n.?..p{......W........G.}.....o}.Q....JW.{.._.........x......^{...^.x...?\|..7.{.{...;.........Wg^>_.y.W4......../.........{Y.c.5Vgz1R_.;..5.@....\|......_z....:6.....q.....:..`1.c.....r..y..3...._.&.E..@.y.7.........!........7J......c../......U.....j...O.K..o.=...p.:.~.+Y..?u......>b........A.Yn....J...gm....~.Mx....B...=.a%.b...>6.\|.S,.C..x.....x.mT..F.>5..o.y..5.......0G..J3.._.dnl\n.{#X....7...w..Z..d\|..{..^.q.}cAu.t...6lv.&...["=.x&.f..2.9c.....X....eCP..\|6./V<.p..C.+R.....m...I.u...;+....Ew..`9.3....oxj.I-.1..m}..z.T.Se}.3.......K....A].`.;n.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43D2F149.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	PNG image data, 1586 x 789, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1039105
Entropy (8bit):	7.996797065086077
Encrypted:	true
SSDEEP:	24576:ah0W6rz8wgXCLB8cuMX63uEgCp7EMPy0Xb+v/7nT1n:NrwMLYMXIuMxXbM/7pn
MD5:	65E39B942B26D80D304FB74324DEDC2D
SHA1:	7F1E3381FCAB457D46DC58BF67B4A8D7910EDD13
SHA-256:	04B76F1BBF1CA10409821BE6F1B3A81D428535ACF0B9E221D2D594C6FF4BCA4F
SHA-512:	5A41DCC0FADD3E3F960771DCCA481A2C4A46775F8FE359FFC6DE6EC000B65A78244C95848C888E3799B94005C69A0DCC5C03ED8B36A40163B846E2580C095539
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...2.........R.......sRGB.........IDATx^....}..y.....(n.2@.@.l.&j.V$.E.i....L..{. .cK.....N......@;).."hS.$....Fq.9g.}..=.k.g...F..Y.w.k.1>.S<.g.k...._.~._{......~._{......~._{......~._{......~...{...f._\|............W_..W.R..w....<._..?.........W_...7.~[....U.....g.u.......?$...........X..?....w..._.E=v.V.8..b.W..._...?\......\|&...._...-U.x:...+.sV.W..............]5.:../...Y-..]....U!.uZ...>..:...../..._.rN....~.m!...\..S...[.~....0%.s.`x.._.\H..... R#.?....$.h.(..q.....W..+.6C.e..j.p..}M....\|..`.,!.........#.`..r.%J[.W2.W.4.xI..?......~.....?./.R[..a.<.O..&.'DyGB.XGN>.A.]1<.......I=.p.n......Z..rQ.X..v...<..]....b7.......m.I...9.%...O..?....._.....y..._x....+........O~R}..r..:..N....gZ.k...7...V.......K..{D....(..* ..g?.Q....e....].t.j...L..EN....Dt..c..a5.88qo....}..u.r.fN]..........&.....D2....V..A..S^.q$...VSj......M1........W.I.v..8.o......0..\|a.'......<.)Y..,.!SC....bT.....).0H..............#......N..... :

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\550AD343.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	PNG image data, 1920 x 943, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	67888
Entropy (8bit):	7.410686302242833
Encrypted:	false
SSDEEP:	1536:tpLpUIKMmHKM9F1Bu7YzAYOriG2CwkCJnFs:tpfnk8Y4ijCwkCJnFs
MD5:	33753FA3B5A5141763806806F38224D6
SHA1:	C6AB280916A85B8D3CC8440B8360BB6EEDF39E83
SHA-256:	B5B5C88C86E64FC2BAAE69B8FB2B2EDD4370EB6F512F00849173703FBCFE7236
SHA-512:	281A526E42ED7C3975297257043C4E756B3C711806FB826D360924B230D1A9A291E29117B1057F6FBA731E964CB928036010B051323B6366865E6FAD0D33B881
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............uNa....sRGB.........IDATx^......y...DZ$Hi..e%H.D..Me-.D$....D.BQ.).."J.........,[./Wg...P.p.\,..!..(I....b.r@"V~.-. .xm.....dJ.p.%E....3;...3.3.3.==3.)......~.....w.w...x..h.....D....... @....... @.@).^S.Q....... @....... @..........z.... @....... @....... P...t9..(.. @....... @....... 0t...[R."@....... @....... @.@9....X.. @....... @....... @.......nIM....... @....... @.......@.c......... @....... @....C' ...%5!.... @....... @.......C@.].u0..... @....... @..........z.... @....... @....... P...t9..(.. @....... @....... 0t...[R."@....... @....... @.@9....X.. @....... @....... @.......nIM....... @....... @.......@.c......... @....... @....C' ...%5!.... @....... @.......C@.].u0..... @....... @..........z.... @....... @....... P...t9..(*k~d.=wN^.^.....q....... @....... @..... p....a..8..W}..wo...W\{....N..o-;.H.wm]{......c...O_\.U;.K....... @....... @.......(.....Z.Q...W\^.....Zv.t-}.....GU... @....... @.............X.;.o].>.....W......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83560C34.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	PNG image data, 1620 x 813, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	52981
Entropy (8bit):	7.591424432315975
Encrypted:	false
SSDEEP:	768:PupCf9sMRafM6ta+wjgAVTPYDTgj087xgw7/hoKvUWkTUMiTBcPVzvYunJK7aD:20CXgdj3YDTgj0mxgwKMUW2JYkJb
MD5:	D8348BA69CAE0FE479B20E207E7A9D61
SHA1:	12051EAB510AE7C7149B4C8282EA91F985809533
SHA-256:	BDC396B1ABC7D54AA7E588675EE5B7DE5D254E9CE8120D738BB10C51262BB274
SHA-512:	DDFF012A7506866A97D904914A7D47881446448F6AF19EB6C159DCA9A3C308865661966310EA35F2917942F043FB0763BBE7947E60039C72B7EC54E58007EA19
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...T...-.....fy.A....sRGB........IDATx^..?..F. ...0.....8..t....H.h"..w..b`.(........)..a..tt..0...'...\..3......<.R.uXE.)..E.........S.*....".7... @....... @......."..y.?.y......7............7..S........ @....... @......y......7o..?3_..7o.L./.... @....... @....w..._..7..?.\..............0..;M.X.. @....... @...........c...?.y3.....o...bCvl.."@....... @....... pK.!....3.5$..?2_..FA. @....... @.........O...y.w{.......E....... @....... @.....7o..Y.........c2..... @....... @....o........o....5<.../........ @....... @....g~..=....)z.... @....... @...?...7....../o...?.O{....o}..B....... @....... pG..o..wY...........z...s....o.861. @....... @.............y3..G}........_.y.?.....7..=...}. @....... @.......8\........./....#...K_... @....... @......S@..9.... @....... @......../....... @....... @....... @....... @....... @....... @....... @....... @....... @....... @....... @.....6........S.o.Zk.x..,.c.S7.......4..\...Z.y<G.}.6.....k,..{.......97

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DFA56B6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	PNG image data, 1328 x 772, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	597707
Entropy (8bit):	7.994581286957194
Encrypted:	true
SSDEEP:	12288:188AxbihVTXHIjJVI1+/3/uU5ttv+iYfvwfO:u8AbWIjJVI1S3/ZXv+Vf7
MD5:	663173125365C1951ACA4C6321202F1D
SHA1:	260DFE199A218B39E28BD466E19045A82EBD000F
SHA-256:	E0CDD32C776D44C6A3558B7890B1EE99E7F1E1A476CB31FAF2DBD2248F7270F6
SHA-512:	86B52DF4EEF7D8034F7C629D3B7D87DEB2D87F79B204E055415F0735EFDF5F328CA8522D8137AF554561EA38D4E0E6E0ADCD252EACA9EB021247785F0A53B4B6
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...0..........4......sRGB.........IDATx^.[.5]V.k..t.Q.D..JD...6D.....A....N.B...&.h<.x..Q...l...5&&.$..b...i...V.....t7..S....g.Yk...u+t......5k.qx.3....z.....#>.#............9....C....!?$-4..........................\.....f`>r..c\|.K..1...i\-I.,..K...vl.AmK;.`a..%z.F.1...;...m.. .....F..(!..u.. .f.Y.$.x..q.x.......~......-.H.\|.!........7a.d...a.z1. ........9.J7!U3.)..7......W"/......(......Z.A.7t.E..\|..e....1`.^.Q.......6....NA.....x...}.#..)%..eR[.V.tD9c3D.aU8....G....l.Gi.:R G>.fr...#......F}'O.l...L.,.&HT..E/...fr...O....Qx..&...G)o.F..8......Gt....6....<.!z.d.=iJ....@$...... ...d.P:.z.$.@.....Ku.C.i$a..b.F/........f.y.L.....y...\|L# \|.G}.I.!.....9.yMz..[....h..;.....p;7q....\|...[.!.4.\|.&..\|.2g...MP..D>.T*..t.m..QN.J.V 6`..'.K..[3.".be.'....oj.9...pFR.-...R+....6\|'j`Bh."......B.............(.D..a.8.6..mo{[.....j.n.@....HP&..Tb".....d Ir.z.PcI.1.......).7..c.m. ?..xV.9... ......\.mM..mq.....f.JK.vj.....YQ.@....a...4.%.(Z...dL;.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EC08EB3F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	PNG image data, 1878 x 859, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1676371
Entropy (8bit):	7.998189506384485
Encrypted:	true
SSDEEP:	49152:ANYzajHQTh2GxyDqPNJ6EpAjmPrEL7VK3cKmF:YawMhLgq76BjB7+cV
MD5:	F3EEC0D9E13521FDE11A66E2153038F6
SHA1:	24F40F91B0036932D864D815015309238DDD7187
SHA-256:	B330F0FE946812BBA4C6A431FAC385744CD3A1AC0B35647B89074A8D7D2ADCB5
SHA-512:	E56C692415857C854AF734A4D9D0CB7B1A9D1C2C51107B6E678B3B48571CC70104CB9C6C1F13DAC2072E6254687FEFC03518DBC3B167A7410E99579530EB7986
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...V...[.....~y.`....sRGB.........IDATx^..}.~...u...g..93.L).......Eb.#..b..H..$.(D..a$Q.....#x..........E.Phe.....e.s......c]....=...>.Y.Z....~.....Y.k}....}.>...?..g~...>....x...~.../^..e..N.".)..".)..".)..".)..".)..".)..".)..".)..".)..".).O.......o..}.........}....}`...S.....y...../.......6...O....O....O....O....O....O....O....O....O....O....._......w.........wo....p{......W.....w...~......o}.a....JW.}..._.........x......^{.w_.x...>x..7.}.{...;.}..{.....Wg^>_.y.W4{......G/.........Y.c.5Vgz1R_.;..5.@....\|......_z....:6.....q.....:..`1.c.....r..y..3...._.&.E..@.y.7..........!........7J.{....c../......U....j...O.K.g>.a5......X.* ...p.{.....w...?......rcdp.U2..<k.p....O....P.s...:..\wP,#.....{.%t...o.W........(.....7.6..[#...z...Ai....A....m.so..c.......wU........{.k\.2.{.o,....^.......zK.......Z.<g..z...+>...l........G..^y.}E*..{..".0....cg...Pe......,'.r.c.@..O.8..3....o].C.p...~.....:..`...s;....z.m

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	3.8999991615491365
Encrypted:	false
SSDEEP:	3:HaLSJ9pSmxWaLSv:HCgL7c
MD5:	D6BFC5395D1EE511AF3B1E56D5DDBB0F
SHA1:	1E6799F992873A79B3DE3D9AF4691DA10DA7CB1C
SHA-256:	7EB8B74233CC568DB2FA5E5248CFC870306A81EFF543E327CE8F16745C6E0644
SHA-512:	2CCD3C0B24CE033720765D9822E98F3719C7014748D42D99D9D5B89A2546D5687D30549B4F2351547656C39AF820B3CDDD74A77B74BB776E9D93B8283EC78A37
Malicious:	false
Reputation:	low
Preview:	[misc]..test.LNK=0..test.LNK=0..[misc]..test.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\test.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Jun 3 14:17:34 2021, length=4774483, window=hide
Category:	dropped
Size (bytes):	1974
Entropy (8bit):	4.505710769121066
Encrypted:	false
SSDEEP:	48:8e/XT0jFUfVJbIxhQh2e/XT0jFUfVJbIxhQ/:8e/XojFUVohQh2e/XojFUVohQ/
MD5:	243251350062EC6DA0142F4C1F2C0D1F
SHA1:	6AAF2BEE918A4F7A44C7D971EF2725EB5D07604B
SHA-256:	86AB7F887511AAE3E0E4DBDE90CA93FFD1F79C8C52B74CAAC15FC61B75D649B0
SHA-512:	B859A5BEF08C6B7606DB408DA647367C40C1B514141D305F01477FA31D7F39A34E8A64BB765A3358E21EC81174C7687345E21F268F3190610634A00190EF84AD
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...-....{..-....{....s..X..S.H..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....Z.2.S.H..R2z .TEST~1.PPS..@.......Q.y.Q.y...8.....................t.e.s.t...p.p.s.m.......s...............-...8...[............?J......C:\Users\..#...................\\745481\Users.user\Desktop\test.ppsm. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.t.e.s.t...p.p.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......745481..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L............

C:\Users\user\Desktop\ppt2EFC.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	data
Category:	dropped
Size (bytes):	4816307
Entropy (8bit):	7.997481132276751
Encrypted:	true
SSDEEP:	98304:8LR74+PkzR5oR9t6L9v+zfcM4uMZM/N9TawMhLgq76BjB7+cf:MlZM5oR9t6ZHM4u+MF9TaXB7IBz
MD5:	422A649BF92C722963236C5CC6FF34EA
SHA1:	2095A8BC45320F9D8A4654D3CABE83258BEAEB49
SHA-256:	562773D99E837AAE5BF8AC515B2CF538AC06CBDD8DC087D831B7CA0C418A5B92
SHA-512:	37888C176F049F1AF885447330CDDAE6E68F3AEC758096F49E3E332408AD393038C824C9FCD93414BA24A4CEE3F6D855633074106728312BE8E68020B4677A0F
Malicious:	false
Reputation:	low
Preview:	..r.0....;xt...M..&.6=.Of.>...PjK.i...].:..C.....bw..$..n..,X.uR......@%:.j..?...+.8...V..58v3~.ft.6...V.fsD.s..!......L........_1.~1.\.D+..!.9.x...b.ap.H.K..f,.R..(.3....s..1.j'B...D -./U.....L ZN......d......f...k!xLX..Q..tsi.;Rn.U1.T....._..V.....?EN.qc....D....3Ub...k.T...2..^E.H..Ub..).....C...t.xm0\|..^..:Y....<+..B/b.h..8...%.!x.r..''.x.........~k..NF.^.=.wlE......V..l... .d..o...iZ+.......]w.......w.......t.....e..7.1......nL..m7..c.].ez...t.LWg.t}.L..9B...k.jw.n.U.Q....oZ8\|+6.Y..........YS...H}...w..(......w..........PK..........!...pP,...........[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\ppt2EFC.tmp:Zone.Identifier Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\~$test.ppsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4426651152920147
Encrypted:	false
SSDEEP:	3:vTFDJw2fV:vTFGS
MD5:	0E60104DE3CE99B9DED6F2DA9722B110
SHA1:	67200E231E7781D2F4EDB148A7B0D82E147BA1AD
SHA-256:	9FA22361697857804FA6686A0778E3F40D705525A3497DCCA369C6FAC1D9C44C
SHA-512:	AEDC126BB4F909F4B662192A6F1CE250000BE194FB1F56E18EAFBCFFABFF0DFFC548320CAD2836408B944B948A94D965B211C18F01844EF4943A9E6C9B13C9E0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.user. ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft PowerPoint 2007+
Entropy (8bit):	7.9975334880874565
TrID:	PowerPoint Microsoft Office Open XML Format document with Macro (152004/1) 45.44% PowerPoint Microsoft Office Open XML Format document (133004/1) 39.76% PowerPoint Macro-enabled Open XML add-in (41504/1) 12.41% ZIP compressed archive (8000/1) 2.39%
File name:	test.ppsm
File size:	4802837
MD5:	99a4963b54d93b286ff5de714c7f5010
SHA1:	66fb2a56df63e96af7b43b843a918370a8763147
SHA256:	61af0a3d3d4d9b0a52b94b96830adc7bbe000f626c02c8914b001c155e90d9da
SHA512:	10730a459c46e01eb1d3cc6191a64ed92dc3faa650507a1f5164dbd4c74b5c5eb5334e8c11abddf211e90ea61b96a0a1a270b8ee60e9cddb6b94ec87a3aaf969
SSDEEP:	98304:BPLR74+PkzR5oRJt6L9v+jfcM4uMZM/NjGawMhLgq76BjB7+cb:ZlZM5oRJt6ZjM4u+MFjGaXB7IBH
File Content Preview:	PK..........!...pP............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e4e6b0b8bcb8da

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/428845/sample/test.ppsm"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Title:	Test
Author:	Windows 사용자
Template:
Last Saved By:	Administrator
Revion Number:	17
Total Edit Time:	237
Create Time:	2021-04-26T04:52:20Z
Last Saved Time:	2021-05-27T01:34:49Z
Number of Words:	4
Creating Application:	Microsoft Office PowerPoint

Document Summary
Number of Paragraphs:	2
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 2041

General
Stream Path:	VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	2041
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 ea 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff f1 04 00 00 a9 06 00 00 00 00 00 00 01 00 00 00 ed 6d 4e e4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Environ("temp")
strTxt;
VB_Name
VBA.CreateObject("WScript.Shell")
Print
Malicious_File()
%username%
%username%-%os%-%PROCESSOR_ARCHITECTURE%"
wsh.Run
Output
vbMinimizedNoFocus
"cmd.exe
Attribute
Close
Object:

VBA Code

Attribute VB_Name = "Module1"
Sub Malicious_File()
Dim wsh As Object: Set wsh = VBA.CreateObject("WScript.Shell")
Open Environ("temp") & "\art1204.bat" For Output As #1
Print #1, strTxt; "msg %username% %username%-%os%-%PROCESSOR_ARCHITECTURE%"
Close #1
wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus
End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 461

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	461
Entropy:	5.15492702891
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 0 9 2 3 C 3 A 4 0 3 A 4 0 3 E 4 4 3 E 4 4 " . . D P B = " 2 0 2 2 8 C D 3 A 9 D 3 A 9 2 C 5 7 D 4 A B 9 C E 7 1 F
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22

Stream Path: PROJECTwm, File Type: data, Stream Size: 26

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	26
Entropy:	2.50738010242
Base64 Encoded:	False
Data ASCII:	M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3196

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3196
Entropy:	4.44450739494
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 b2 00 00 03 00 ff 12 04 00 00 09 04 00 00 b5 03 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/dir, File Type: data, Stream Size: 717

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	717
Entropy:	6.34806419391
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . U . . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 c9 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 b5 03 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 55 1f 89 62 07 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: POWERPNT.EXE PID: 1948 Parent PID: 584

General

Start time:	08:17:36
Start date:	03/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
Imagebase:	0x13fa40000
File size:	2163560 bytes
MD5 hash:	EBBBEF2CCA67822395E24D6E18A3BDF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Subroutine Malicious_File, APIs: 6, Strings: 4, Number of lines: 8, Relevance: 19.258

APIs	Meta Information
CreateObject
Open
Environ
strTxt
Run
vbMinimizedNoFocus

Strings	Decrypted Strings
"WScript.Shell"
"temp"
"msg %username% %username%-%os%-%PROCESSOR_ARCHITECTURE%"
"cmd.exe /c %temp%\art1204.bat"

Line	Instruction	Meta Information
2	Sub Malicious_File()
3	Dim wsh as Object
3	Set wsh = VBA.CreateObject("WScript.Shell")	CreateObject
4	Open Environ("temp") & "\art1204.bat" For Output As # 1	Open Environ
5	Print # 1, strTxt ; "msg %username% %username%-%os%-%PROCESSOR_ARCHITECTURE%"	strTxt
6	Close # 1
7	wsh.Run "cmd.exe /c %temp%\art1204.bat", vbMinimizedNoFocus	Run vbMinimizedNoFocus
8	End Sub

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report test.ppsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/428845/sample/test.ppsm"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 2041

General

VBA Code Keywords

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 461

General

Stream Path: PROJECTwm, File Type: data, Stream Size: 26

General

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3196

General

Stream Path: VBA/dir, File Type: data, Stream Size: 717

General

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: POWERPNT.EXE PID: 1948 Parent PID: 584

General

Chronological Activities

Disassembly