Deeper Analyzis of my Last Malicious PowerPoint Add-On

Published: 2021-04-28. Last Updated: 2021-04-28 05:56:53 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Last week, I wrote a diary about a malicious PowerPoint add-on[1] and I concluded by saying that I was not able to continue the investigation because the URL found in the macro pointed to a blogspot.com URL. Ron, one of our readers, found that this page was indeed malicious and contained some piece of JavaScript executed by mshta.exe.

The document discovered by Ron was not identical to mine (the macro slightly changed) but it pointed to the same URL (the blog has been closed by Blogger in the meantime).

How did I miss this simple piece of JavaScript? I don't know but thanks to Ron for sharing the nice document[2]. Very interesting read!

[1] https://isc.sans.edu/forums/diary/Malicious+PowerPoint+AddOn+Small+Is+Beautiful/27342/
[2] http://isc.h2392901.stratoserver.net/Xavier_1.pdf

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: JavaScript Malware Mshta VBS
0 comment(s)
ISC Stormcast For Wednesday, April 28th, 2021 https://isc.sans.edu/podcastdetail.html?id=7476

Comments

Login here to join the discussion.


Diary Archives