{"id":129442,"date":"2021-09-21T18:47:42","date_gmt":"2021-09-22T01:47:42","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=129442"},"modified":"2025-06-02T19:31:21","modified_gmt":"2025-06-03T02:31:21","slug":"malicious-powerpoint-documents-on-the-rise","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malicious-powerpoint-documents-on-the-rise\/","title":{"rendered":"Malicious PowerPoint Documents on the Rise"},"content":{"rendered":"

Authored by Anuradha M<\/span><\/span><\/p>\n

McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer.\u202fThese spam emails purport to be related to financial transactions. <\/span>\u00a0<\/span><\/p>\n

AgentTesla is a RAT (Remote Access Trojan) malware that<\/span>\u00a0<\/span>has<\/span>\u00a0<\/span>been active since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to\u202fsteal user credentials and other information from victims through screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly via phishing campaigns.<\/span>\u00a0<\/span><\/p>\n

During Q2, 2021, we have seen an increase in PowerPoint malware.<\/span>\u00a0<\/span><\/p>\n

In this\u00a0<\/span>campaign<\/span>,<\/span>\u00a0the\u00a0<\/span>spam email\u00a0<\/span>contains\u00a0<\/span>an<\/span>\u00a0<\/span>attach<\/span>ed<\/span>\u00a0<\/span>file with<\/span>\u00a0a<\/span>\u00a0<\/span><\/span>.<\/span>ppam<\/span><\/span>\u00a0<\/span>extension\u00a0<\/span>which is a PowerPoint<\/span>\u00a0<\/span>file\u00a0<\/span>containing<\/span>\u00a0<\/span>VBA<\/span>\u00a0<\/span>code<\/span>. <\/span>The<\/span>\u00a0sentiment\u00a0<\/span>used<\/span><\/span>\u00a0<\/span><\/span>was<\/span> finance-related<\/span>\u00a0<\/span>themes <\/span>such as<\/span>:\u00a0<\/span>\u201c<\/span>New PO300093 Order<\/span>\u201d<\/span>\u00a0as shown in Figure<\/span>\u00a0<\/span>2<\/span>. The attachment\u202ffilename is\u00a0<\/span>\u201c<\/span>300093.<\/span>p<\/span>df.ppam<\/span>\u201d.<\/span><\/span>\u00a0<\/span><\/p>\n

PPAM file:<\/span><\/i><\/b>\u00a0<\/span><\/h2>\n

This file type was introduced in 2007 with the release of Microsoft Office 2007. It\u202fis a\u202fPowerPoint macro-enabled Open XML add-in file. It contains components that add additional functionality, including extra commands, custom macros, and new tools for extending default PowerPoint functions.\u00a0<\/span>\u00a0<\/span><\/p>\n

Since\u202fPowerPoint supports \u2018add-ins\u2019 developed by third parties to add new features,\u00a0attackers abuse this feature to\u00a0<\/span>automatically execute macros<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

Technical\u00a0Analysis:<\/span><\/i><\/b>\u00a0<\/span><\/h2>\n

Once\u00a0the victim opens the\u202f<\/span>“.ppam”<\/span><\/i><\/b> file, a security notice warning pop-up as shown in Figure 3 to alert the user about the presence of macro.<\/span><\/p>\n

From <\/span>Figure<\/span>\u00a0<\/span>4<\/span>,<\/span>\u00a0<\/span>you can see\u00a0<\/span>that t<\/span>h<\/span>e Add-in feature<\/span>\u00a0of the\u00a0<\/span>PowerPoint<\/span>\u00a0<\/span>can be identified from the\u00a0<\/span>content\u202fof\u202f[Content_Types].xml file which will\u00a0<\/span>be\u00a0<\/span>present inside the\u00a0<\/span>ppam<\/span>\u00a0file.<\/span><\/span>\u00a0<\/span><\/p>\n

\u00a0The\u00a0PPAM file\u00a0contains the following\u00a0files and directories\u00a0which can be seen\u00a0upon\u00a0extraction.<\/span><\/i>\u00a0<\/span><\/p>\n