Deeper Analyzis of my Last Malicious PowerPoint Add-On

Last week, I wrote a diary about a malicious PowerPoint add-on[1] and I concluded by saying that I was not able to continue the investigation because the URL found in the macro pointed to a blogspot.com URL. Ron, one of our readers, found that this page was indeed malicious and contained some piece of JavaScript executed by mshta.exe.

The document discovered by Ron was not identical to mine (the macro slightly changed) but it pointed to the same URL (the blog has been closed by Blogger in the meantime).

How did I miss this simple piece of JavaScript? I don't know but thanks to Ron for sharing the nice document[2]. Very interesting read!

[1] https://isc.sans.edu/forums/diary/Malicious+PowerPoint+AddOn+Small+Is+Beautiful/27342/
[2] http://isc.h2392901.stratoserver.net/Xavier_1.pdf

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS October Singapore 2022

Xme

712 Posts
ISC Handler
Apr 28th 2021

Sign Up for Free or Log In to start participating in the conversation!