Cyber Crooks Using PowerShell Commands to download Malware through PowerPoint File

The PC security experts have detected a PowerPoint File which downloads malware in the PC as soon as victim hover a link and interestingly it doesn’t require any macro script for this. This PowerPoint file is circulated through email with an attachment and the subject line is RE:Purchase orders #69812″ or “Fwd:Confirmation”. The name of PowerPoint file is “order&prsn.ppsx”, “order.ppsx”, or “invoice.ppsx” and it often comes in a zipped file. The extension .ppsx is very identical to .pptx but there is little difference. PPSX file is always in view mode instead of PowerPoint edit mode. This suspicious PowerPoint file only has one slide which says “:Loadiong… Please wait” and it has a hyperlink underlined with it. Whenever user hovers the link, a suspicious code automatically gets executed that invoke PowerShell.

If you have enabled the Protected View Security feature in the Office installation, your PC will not get affected by the attack. However if protected view is disabled or if you manually execute the code then the PowerShell code will connect to http://cccn.nl/c.php and will download another file. This file is an .exe file which actually is a malware loader. It goes directly in the Temp Folder and get executed occasionally using .cmd command. Thankfully, the Office protection is enabled by default so this malware intrusion technique gets stopped automatically. However, wrong practices from users end can lead to this danger. Both Office 365 Advance Threat Protection as well as Windows Defender can detect and uninstall this malware. So, if you have disabled this feature or turned off then you should definitely consider to “ON” it. This PowerPoint File malware does requires any kind of Macros, JavaScript or VBA and this makes it very dangerous.