{
	"id": "0d37e705-6859-4251-99c5-6b7c867662c1",
	"created_at": "2026-04-06T01:30:29.043804Z",
	"updated_at": "2026-04-10T03:21:51.205346Z",
	"deleted_at": null,
	"sha1_hash": "2db706a22ce525d87baaefa6530cb2f02755041c",
	"title": "Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118375,
	"plain_text": "Infected PowerPoint Files Using Cloud Services to Deliver Multiple\r\nMalware\r\nBy Gustavo Palazolo\r\nPublished: 2022-01-24 · Archived: 2026-04-06 00:56:07 UTC\r\nCo-authored by Gustavo Palazolo and Ghanashyam Satpathy\r\nSummary\r\nIn 2021, malicious Office documents accounted for 37% of all malware downloads detected by Netskope,\r\nshowing favoritism for this infection vector among attackers. This is likely due to the ubiquitous usage of\r\nMicrosoft Office in enterprises across the globe. Throughout 2021 we have analyzed many techniques used by\r\nattackers to deliver payloads through infected documents, which included the return of Emotet, a campaign that\r\nprimarily uses infected documents to spread malware.\r\nSince December 2021, Netskope Threat Labs has observed an increase in the usage of one specific file type from\r\nthe Microsoft Office suite: PowerPoint. These relatively small files are being delivered through phishing emails,\r\nthen downloading and executing malicious scripts through LoLBins, a common technique often used to stay under\r\nthe radar. \r\nWe spotted this campaign delivering multiple malware, such as AveMaria (a.k.a. Warzone) and AgentTesla. These\r\nfiles are using Bitly to shorten URLs and different cloud services like MediaFire, Blogger, and GitHub to host the\r\npayloads. In this blog post, we will analyze a malicious PowerPoint Add-In file detected by Netskope that delivers\r\nmultiple malware, including AgentTesla.\r\nStage 01 – Infected PowerPoint File\r\nThe infection flow starts with a phishing email that carries the infected file as an attachment, along with a message\r\nthat lures the victim to download and open it.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 1 of 27\n\nPhishing email with a malicious attachment.\r\nThe file is fairly small and it doesn’t contain anything but the malicious VBA macro.\r\nInfected PowerPoint file.\r\nThe macro is obfuscated and it uses an internal function to decrypt important strings at runtime.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 2 of 27\n\nObfuscated VBA code within the infected PowerShell file.\r\nThe script deobfuscation is straightforward and leads to the following VBA code.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 3 of 27\n\nCommand executed by the malicious PowerShell file.\r\nThis technique uses Outlook (COM Object) to execute PowerShell, which bypasses the child process created by\r\nPowerPoint.\r\nPowerShell spawned by Outlook’s process.\r\nThe script is executed with a combination of PowerShell and mshta, a similar technique employed by\r\nBazarLoader.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 4 of 27\n\nMalicious script being executed through LoLBins.\r\nStage 02 – VBS File\r\nThe URL contacted by the mshta binary is shortened through the Bitly domain “j.mp”, and the payload is hosted\r\non MediaFire, a cloud service for file storage and sharing.\r\nThe next stage is a VBS script that is lightly obfuscated within an HTML page, which is decoded and executed\r\nthrough a simple JavaScript function.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 5 of 27\n\nSecond stage executed by the infected PowerPoint file.\r\nOnce deobfuscated, the VBS script performs multiple tasks to:\r\n1. Create a persistence mechanism through the Windows registry to execute two PowerShell scripts from\r\nexternal URLs. The first script delivers AgentTesla, and the second script is used to disable some OS\r\ndefenses, such as Windows Defender.\r\n2. Create a scheduled task that executes a script from an external URL through mshta approximately every\r\nhour. This script delivers a cryptocurrency stealer developed in PowerShell, hidden within a fake web page\r\nhosted with Blogger.\r\n3. Create a persistence mechanism through the Windows registry to execute a script from an external URL\r\nusing mshta. Unfortunately, we can’t tell what was being executed as this URL was offline at the time of\r\nthe analysis.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 6 of 27\n\nMalicious VBS responsible for the next stages.\r\nStage 03 – AgentTesla\r\nThe first PowerShell script is responsible for executing AgentTesla, which is a .NET-based Remote Access Trojan\r\nwith many capabilities, such as stealing browser’s passwords, capturing keystrokes, clipboard, etc.\r\nThe code is slightly obfuscated, protecting variables, function names, and strings. There are two large arrays that\r\ncontain:\r\n1. Compressed bytes of AgentTesla;\r\n2. Compressed bytes of a .NET Injector used for process injection;\r\nNone of the executables are written to disk, which characterizes this attack as fileless.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 7 of 27\n\nPowerShell script responsible for executing AgentTesla.\r\nOnce both files are decompressed, the script loads the injector and calls a function named “Execute”, responsible\r\nfor injecting AgentTesla payload into an instance of “aspnet_compiler.exe”, which is a binary from the .NET\r\nframework.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 8 of 27\n\nRemoving a minor obfuscation in the PowerShell script, showing how the payload gets executed.\r\nMost of the injector’s function names are obfuscated, but we can see the namespace, the class, and the method that\r\nis being called to inject AgentTesla into a process. Furthermore, an injector using “projFUD” as namespace was\r\npreviously spotted in the wild, used by other malware such as ASyncRAT and RevengeRAT.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 9 of 27\n\nInjector’s decompiled code.\r\nAgentTesla is developed in .NET and this sample is using a protector known as “Obfuscar”, which creates a few\r\nmechanisms in the code to make analysis harder.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 10 of 27\n\nAgentTesla sample delivered by the infected PowerPoint file.\r\nDespite the protector’s usage, it’s still possible to see clean code from the decompiler, like this method that sends\r\nHTTP requests.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 11 of 27\n\nFunction used by AgentTesla for network requests.\r\nAll the strings used by AgentTesla are encrypted within the binary, where all the characters are stored in a single\r\narray of bytes. Once it’s running, the code decrypts all the characters in the list using a simple XOR operation with\r\nthe encrypted byte, its position on the list, and the decimal 170.  Whenever AgentTesla needs to access a string, it\r\ncalls a function that returns the string by accessing its position in the list, and the respective length.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 12 of 27\n\nAgentTesla string encryption scheme.\r\nUsing the same logic, we can use a combination of regex and a Python script to decrypt all the strings in the\r\nbinary. The complete list of decrypted strings can be found on our Github page.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 13 of 27\n\nDecrypted strings from AgentTesla.\r\nFurthermore, AgentTesla sends an HTTP POST request to a malicious server with information about the infected\r\nmachine, such as the computer name, username, IP address, etc.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 14 of 27\n\nAgentTesla HTTP request.\r\nStage 04 – PowerShell\r\nThe second PowerShell file executed by the VBS script in the second stage is mostly used to disable Windows\r\nDefender.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 15 of 27\n\nPowerShell downloading the payloads.\r\nOnce running, it downloads a file from GitHub named NSudo, which is used for privilege escalation (TA0004).\r\nNSudo is executed as “TrustedInstaller” through the arguments  “-U:T”.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 16 of 27\n\nGUI from downloaded file “NSudo”.\r\nThe second download is a VBS script hosted on MediaFire, which uses NSudo and other commands to disable\r\nWindows Defender and to add a few AV exclusions based on file extensions, paths, and executable names.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 17 of 27\n\nVBS downloaded by PowerShell.\r\nThe VBS is executed through another Living-off-the-Land technique, by first creating an INF file with the\r\ncommand to be executed.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 18 of 27\n\nPowerShell creating INF file.\r\nAnd then executing the INF file with the cmstp LoLBin.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 19 of 27\n\nExecuting the INF file.\r\nStage 05 – Cryptocurrency Stealer\r\nThe third URL downloaded by the second stage VBS is hosted with Blogger, which tries to camouflage itself\r\nthrough a fake web page that says the content is sensitive.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 20 of 27\n\nFake web page downloaded by the second stage.\r\nDespite the attempt to hide behind this web page, we can find two malicious VBS within the HTML, which are\r\ndecoded and executed with a simple JavaScript.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 21 of 27\n\nVBS code hidden in the HTML page.\r\nOne of the VBS executed in this stage leads to the same PowerShell that delivers AgentTesla, which is redundant.\r\nHowever, the other VBS code leads to a simple cryptocurrency stealer written in PowerShell.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 22 of 27\n\nVBS loading and executing the cryptocurrency stealer.\r\nThe malware is fairly simple, it works by checking the clipboard data with a regex that matches the\r\ncryptocurrency wallet pattern. If it is found, the data is replaced with the attacker’s wallet address.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 23 of 27\n\nCryptocurrency stealer in PowerShell.\r\nThe code is able to replace the address for many coins, such as Bitcoin, Ethereum, XMR, DOGE, etc.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 24 of 27\n\nCryptocurrency addresses used by the attacker.\r\nThe complete list of the addresses used by the attacker can be found on our GitHub page.\r\nConclusion\r\nAttackers not only continue to abuse Microsoft Office to deliver malware, but are also increasingly including\r\ncloud services in their attacks, as this adds a certain resilience to the entire process. Netskope Advanced Threat\r\nProtection includes a custom Microsoft Office file analyzer and a sandbox to detect campaigns like the one we\r\ndescribed in this analysis. We will continue to provide updates on this threat as it evolves.\r\nProtection\r\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads.\r\nNetskope Threat Protection\r\nDocument-Office.Trojan.AgentTesla\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 25 of 27\n\nWin32.Trojan.AgentTesla\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nGen.Malware.Detect.By.StHeur.MsOffice indicates a sample that was detected by Netskope’s static ML\r\nMicrosoft Office analyzer engine.\r\nBelow we have an example of a sample detected by Netskope, which has a score of 9/63 on VirusTotal.\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 26 of 27\n\nIOCs\r\nA full list of IOCs and a Yara rule are all available in our GitHub repo.\r\nSource: https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nhttps://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware"
	],
	"report_names": [
		"infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439029,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2db706a22ce525d87baaefa6530cb2f02755041c.pdf",
		"text": "https://archive.orkl.eu/2db706a22ce525d87baaefa6530cb2f02755041c.txt",
		"img": "https://archive.orkl.eu/2db706a22ce525d87baaefa6530cb2f02755041c.jpg"
	}
}