Malicious PowerPoint Files Constantly Being Distributed

On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them.

When a macro included in the PowerPoint is executed, it used mshta.exe to use blogspot website source inserted with a malicious script to attack. However, a distinct feature of this case is that it became more complicated with the addition of a process using powershell.exe and wscript.ext.

Figure 1. Phishing e-mail to which PowerPoint file is attached

When the macro of the PPAM file with a VBA code is executed, it calls on an external script through mshta.exe. The website is confirmed to be a blogger website (Final URL) with a malicious script inserted. Inserted scripts exist in two places: one is annotated, so executing the script is useless, thus the malicious behavior is performed through the other script below. (Annotated and inserted script will be introduced additionally in the latter part of this post.)

Figure 2. Malicious script executed with mshta.exe upon allowing PowerPoint macro

Figure 3. Redirected website (with malicious scripts inserted)

Figure 4. Annotated malicious script

Figure 5. Additionally inserted malicious script below (consequential when executed)

When the inserted script in Figure 5 is decrypted, a code is found (see Figure 6). As shown in line 45, there is a script that executes upon calling on an external URL from line 39 (see Figure 5).

Figure 6. Command that executes the script of an external website (line 45)

Figure 7. External URL found in the final script (Google is assumed to be for testing purposes)

The script that isn’t annotated is written to download Google main page’s web source, but if the attacker edits the URL, it can download scripts from a malicious website. Based on the factors seen in the manifestation process of malicious codes, it has been found through the internal infrastructure that the same type of files was distributed.

The filenames of the PPT distributed as attachments are usually disguised as a PDF extension as shown below. Upon looking at the period the files were collected through internal infrastructure, it was confirmed that they have been largely distributed since around the end of July.

  • 1,pdf.ppam
  • 7,pdf.ppam
  • 9,pdf.ppam
  • 19,pdf.ppam
  • ReservationId ,pdf.ppam
  • swift copy,pdf.ppam
  • Outstanding and Overdue Balances 31-07-21,pdf.ppam

The following is a brief description of the annotated and inserted malicious script. All the websites below that had been found additionally have malicious scripts inserted. The shaded area in the figure (line 69) shows the command, which is the CLASSID of “Wscript.Shell” that runs with WMI. On the website ‘hxxps://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com’ found at the bottom of the script, AgentTesla malware exists in a binary form, and if this script is executed, it runs as a fileless form on the memory.

Ultimately, the malware form in the post in April mentioned at the beginning of this post (AgentTesla that runs as a fileless form) has become more complicated through annotated malicious scripts and is continuing to be distributed to this day.

Figure 8. Commented script when decoded (excerpt)

Figure 9. AgentTesla malware that runs in a fileless form

As we always say so, considering a substantial part of threats comes from spam mails, users should refrain from opening attached files in emails from unknown sources.

Also, users are advised to update the anti-malware engine pattern to its latest version.

AhnLab’s anti-malware product, V3, detects and blocks the malicious files introduced in the post using the aliases below.

[File Detection]

5dc1292f5d2e3441e25c4ec6e41d3fa1 (PE)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] shells. The initial distribution phase of this attack is similar to the one covered in a previous ASEC Blog post where the initial distribution was done through an email attachment. The infected system is […]


[…] shells. The initial distribution phase of this attack is similar to the one covered in a previous ASEC Blog post where the initial distribution was done through an email attachment. The infected system is […]