Skip to main content

Beware of infected PowerPoint files

Security researchers at PhishMe have warned of a new malware circulating around in a PowerPoint presentation. What makes this particular threat different from all the others is that it uses PowerPoint Custom Actions instead of macros to execute a malicious payload.

That way, the attacker can avoid any controls that assert on macro enabled Office attachments.

Here's how the attack works:

The attacker creates a new PowerPoint presentation and adds the malicious script as an OLE object. The object is hidden behind a header image.

Then, the attacker created a Custom Action, set to trigger "With Previous” with the actionfigur “Activate Contents”, to execute the OLE object.

The file is saved as a PowerPoint Show, so that the slideshow begins immediately upon running the file.

Sean Wilson, a researcher at Phishme explains, "Although using PowerPoint attachments is not new, these types of attacks are interesting as they generally bypass controls that assert on macro enabled Office attachments."

"When a user opens the presentation, it opens in “show mode” displaying the first slide to the user; this triggers the custom action and executes the embedded payload. When the embedded content is executed the user will be prompted with a security warning asking if they want to open/execute the file. In samples we’ve observed the script was named Powerpoint.vse likely to further trick users into executing the malicious payload. Analysing the presentation contents, it’s evident that some steps were taken by the attacker to hide the inclusion of the script from the user. An image set to look like the presentation header is placed in the foreground covering the embedded Object icon and can easily be moved for further inspection. "

Sean concludes the report by saying that attackers will often abuse legacy Office formats.