Security researchers have spotted a booby-trapped PowerPoint file that will download malware to a computer whenever a victim hovers a link, no macro scripts required.

The file is a PowerPoint presentation that is delivered to potential victims as a file attachment with emails bearing the subject line "RE:Purchase orders #69812" or "Fwd:Confirmation". The name of the PowerPoint file itself is "order&prsn.ppsx", "order.ppsx", or "invoice.ppsx", and there's also evidence the file has been spread around inside ZIP files.

Spam email delivering booby-trapped PPSX file
Spam email delivering booby-trapped PPSX file
Hello,

Please see attached purchase order for the moving of equipment from=London to Surrey on Wednesday 31st May.

Thanks
Nasim Khan , E-Pharm Limited
Phone : +44 (0) 203 3002245

PPSX files are identical to PPTX files, except they enter the PowerPoint presentational view when opened, instead of the PowerPoint edit mode.

The PowerPoint file contains only one slide with the following content (pictured below), containing the linkified text "Loading...Please wait".

Content of PPSX file
Content of PPSX file

Whenever the user hovers the URL, malicious code is executed that will invoke PowerShell and attempt to execute the following code.

Malicious code [obfuscated]
Malicious code [obfuscated]
Malicious code [deobfuscated]
Malicious code [deobfuscated]

If the user is using an Office installation with the Protected View security feature enabled, Office will stop the attack from taking place.

Office Protected View stopping execution of malicious code
Office Protected View stopping execution of malicious code

For users with Protected View disabled or when users ignore the popup and allow the code to execute, the malicious PowerShell code will attempt to connect to http://cccn.nl/c.php and download another file.

During our tests, the malicious PPSX file downloaded the following EXE, a mundane malware loader, which it saved to the user's local Temp folder, and later attempted to launch into execution via cmd.exe.

Office Protected View protects against "hover link" technique

Contacted by Bleeping Computer, a Microsoft spokesperson provided more information on this attack vector.

Office Protected View is enabled by default and protects against the technique described in the report. Both Windows Defender and Office 365 Advanced Threat Protection also detect and remove the malware. We encourage users to practice good computing habits online, and exercise caution when enabling content or clicking on links to web pages.

As Microsoft said in its statement, Office protects against this technique because Office Protected is enabled by default. Users and organizations that know they've turned off this feature should review their policy to take into consideration this attack vector.

UPDATE: Following our article, security researcher Ruben Daniel Dodge has also published research on this same attack vector, along with SentinelOne.

IOCs:

PowerPoint file:

796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921

f05af917f6cbd7294bd312a6aad70d071426ce5c24cf21e6898341d9f85013c0

Second-stage EXE:

9efc3aa23de09f1713a2e138760a42d0a14568c86cdbb5499d2adddbe197db57

Related Articles:

Cisco warns of password-spraying attacks targeting VPN services

PyPI suspends new user registration to block malware campaign

Hackers poison source code from largest Discord bot platform

TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service

Study for Windows PowerShell certification for just $20