Malicious PPT No Macros

From Colin Hardy
Jump to: navigation, search


A really interesting sample recently came to light where a mouse-hover event in Powerpoint would invoke Powershell to download a malicious .jse file. The Powerpoint has no macro code, and uses a novel technique to invoke Powershell which then pulls down a malicious .jse file. I show you how to decode the .jse file and then deobfuscate its contents so you can extract key network indicators to protect your environment. Enjoy!



Sample MD5 3bff3e4fec2b6030c89e792c05f049fc

Payload URLs:

  • hxxp://cccn[.]nl/c.php
  • hxxp://cccn[.]nl/2.2

Payload File

ii.jse MD5 f5b3d1128731cac04b2dc955c1a41114

Further Payload URL:


Downloaded Binary: MD5 d984f77b77b75c5c8c8cc2448c2b994d