Co-authored by Gustavo Palazolo and Ghanashyam Satpathy
Summary
In 2021, malicious Office documents accounted for 37% of all malware downloads detected by Netskope, showing favoritism for this infection vector among attackers. This is likely due to the ubiquitous usage of Microsoft Office in enterprises across the globe. Throughout 2021 we have analyzed many techniques used by attackers to deliver payloads through infected documents, which included the return of Emotet, a campaign that primarily uses infected documents to spread malware.
Since December 2021, Netskope Threat Labs has observed an increase in the usage of one specific file type from the Microsoft Office suite: PowerPoint. These relatively small files are being delivered through phishing emails, then downloading and executing malicious scripts through LoLBins, a common technique often used to stay under the radar.
We spotted this campaign delivering multiple malware, such as AveMaria (a.k.a. Warzone) and AgentTesla. These files are using Bitly to shorten URLs and different cloud services like MediaFire, Blogger, and GitHub to host the payloads. In this blog post, we will analyze a malicious PowerPoint Add-In file detected by Netskope that delivers multiple malware, including AgentTesla.
Stage 01 – Infected PowerPoint File
The infection flow starts with a phishing email that carries the infected file as an attachment, along with a message that lures the victim to download and open it.
The file is fairly small and it doesn’t contain anything but the malicious VBA macro.
The macro is obfuscated and it uses an internal function to decrypt important strings at runtime.
The script deobfuscation is straightforward and leads to the following VBA code.
This technique uses Outlook (COM Object) to execute PowerShell, which bypasses the child process c