Malicious PPT No Macros

From Colin Hardy
Jump to: navigation, search

TL;DR


A really interesting sample recently came to light where a mouse-hover event in Powerpoint would invoke Powershell to download a malicious .jse file. The Powerpoint has no macro code, and uses a novel technique to invoke Powershell which then pulls down a malicious .jse file. I show you how to decode the .jse file and then deobfuscate its contents so you can extract key network indicators to protect your environment. Enjoy!

Video


IOCs


Sample MD5 3bff3e4fec2b6030c89e792c05f049fc

Payload URLs:

  • hxxp://cccn[.]nl/c.php
  • hxxp://cccn[.]nl/2.2

Payload File

ii.jse MD5 f5b3d1128731cac04b2dc955c1a41114

Further Payload URL:

hxxps://185.159.82[.]38:45000/C/pollos.php?add=e9e45de07d328e8d46adf4357840be5e&599uid=somevalue&out=somevalue&ver=somevalue

Downloaded Binary: MD5 d984f77b77b75c5c8c8cc2448c2b994d