Malicious PowerPoint Macro using Outlook.exe Being Distributed

The ASEC analysis team has recently discovered a change in malicious PowerPoint files that are continually being distributed. As same as before, they use the method of executing a malicious script using mshta.exe, but added is the utilization of outlook.exe during the process.

Malicious PowerPoint files are being distributed as attachments of phishing e-mails as shown below, and they contain information related to purchase inquiries. Also, the malicious PowerPoint file is disguised as a PDF extension like in the previous type.

  • Name of distributed file

Purchase Inquiry_pdf.ppt

Phishing mail that contains malicious PPT file

When the malicious PowerPoint file is run, a security notice appears where the user selects whether or not to enable macros. Selecting Enable macros will run the malicious macro.

Running malicious macro

The malicious macro consists of simple codes, and it is automatically run by the Auto_Open() function. This variant contains a process of creating an Outlook application object via CreateObject(“Outlook.Application”) and executing the mshta command.

Malicious macro (1)
Malicious macro (2)

Ultimately, mshta is run by the outlook process, and the figure below is the process tree confirmed in RAPIT system.

Process tree confirmed in RAPIT system

The mshta command is identical to the previous version as it connects to the Blogspot website that includes a malicious script. Additional malicious behavior cannot be checked as this website has now been deleted, but various malware such as AgentTesla can be run depending on the malicious script.

  • Malicious Command

“C:\Windows\System32\mshta.exe” “hxxp://”

  • Final URL


It appears that the change in the method of running the malicious commands via the outlook.exe process is to bypass behavior detection.

As malicious PowerPoint files have been continually distributed via phishing mails since last year, users need to take extra caution when dealing with unidentified files. Users should also refrain from opening files from unknown sources or running suspicious macro included in the file.

[File Detection]

  • Downloader/PPT.Generic

[Behavior Detection]

  • Execution/MDP.Mshta.M3815

[IOC Info]

  • 0769e2f9ed19847d1195aa1f31e7ed4a
  • hxxp://
  • hxxps://

 [Previous Blog Posts about Malicious PowerPoint Files]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments