{
	"id": "3885b2d2-da26-4e11-a843-8ad1b8115034",
	"created_at": "2026-04-06T00:18:37.535874Z",
	"updated_at": "2026-04-10T03:21:57.120923Z",
	"deleted_at": null,
	"sha1_hash": "842122fee8d130850200c6136fc842f27d95a0ac",
	"title": "CVE-2014-4114: Details on August BlackEnergy PowerPoint Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 181048,
	"plain_text": "CVE-2014-4114: Details on August BlackEnergy PowerPoint\r\nCampaigns\r\nBy Robert Lipovsky\r\nArchived: 2026-04-05 16:18:56 UTC\r\nCybercrime\r\nIn this post we provide additional information on how a specially crafted PowerPoint slideshow file (.PPSX) led\r\nto the execution of a BlackEnergy dropper.\r\n14 Oct 2014  •  , 2 min. read\r\nAt the Virus Bulletin conference that took place in Seattle last month, we talked about how the BlackEnergy trojan\r\nhas evolved into a malicious tool used for espionage in Ukraine and Poland.\r\nIn our last post on the subject, we mentioned the following malware spreading vectors used in BlackEnergy\r\ncampaigns this year:\r\nMicrosoft Word documents containing exploits, e.g. the CVE-2014-1761 vulnerability\r\nExecutables with a Microsoft Word icon, to lure the victim into opening them\r\nExploitation of Java\r\nInstallation through the Team Viewer remote control software\r\nMicrosoft PowerPoint documents containing the CVE-2014-4114 vulnerability\r\nIn this post we provide additional information on the latter: how a specially crafted PowerPoint slideshow file\r\n(.PPSX) led to the execution of a BlackEnergy dropper.\r\nIn the August 2014 campaigns, a number of potential victims have received spear-phishing emails such as the one\r\nbelow.\r\nhttps://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/\r\nPage 1 of 4\n\nThe gist of the email’s Ukrainian text is that the Prime Minister of Ukraine, Arseniy Yatsenyuk, is instructing the\r\nProsecutor General's Office, the Security Service of Ukraine, Ministry of Internal Affairs and Ministry of Justice\r\nto check members of the parliament, parties and NGOs in Ukraine for any involvement in the support of rebels in\r\nthe East of Ukraine and that a list of potential terrorist supporters is attached.\r\nIf the recipient took the bait and opened the PPSX attachment, they would see what they’d expect from the email\r\ndescription – a list of names:\r\nWhat was more important, however, was what was happening in the background. The PowerPoint package\r\ncontained two embedded OLE objects, each with a remote path where the resource is located. The two files were\r\nhttps://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/\r\nPage 2 of 4\n\nnamed slide1.gif and slides.inf.\r\nIt is a feature of Microsoft PowerPoint to load these files, but it turned out to be a dangerous one, since the objects\r\ncould be downloaded from an arbitrary untrustworthy network location and executed with none of the warning\r\npop-ups, addressed in the MS12-005 patch.\r\nSo what were the two downloaded files? The .gif file was not an image but, in fact, a camouflaged BlackEnergy\r\nLite dropper. .INF files are executable and typically used to install device drivers.\r\nIn this particular instance, the .INF file’s job was to rename the BlackEnergy dropper from slide1.gif to\r\nslide1.gif.exe and execute it using a simple Windows Registry entry:\r\nFunctionally similar exploits have been known since at least 2012 but have not been widely abused. After seeing\r\nthis one actively used by malware in-the-wild, ESET has reported it to Microsoft on September 2nd, 2014.\r\nNow that the vulnerability has been recognized as CVE-2014-4114 and Microsoft created a patch for it, we\r\nstrongly encourage all users to close this infection vector by updating as soon as possible.\r\nLet us keep you\r\nup to date\r\nhttps://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/\r\nPage 3 of 4\n\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/\r\nhttps://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/"
	],
	"report_names": [
		"cve-2014-4114-details-august-blackenergy-powerpoint-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434717,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/842122fee8d130850200c6136fc842f27d95a0ac.pdf",
		"text": "https://archive.orkl.eu/842122fee8d130850200c6136fc842f27d95a0ac.txt",
		"img": "https://archive.orkl.eu/842122fee8d130850200c6136fc842f27d95a0ac.jpg"
	}
}