When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft PowerPoint used as attack vector to download malware

Neowin · · Hot! with 5 comments

A vulnerability in the Windows Object Linking Embedding (OLE) interface is being exploited by cybercriminals through Microsoft PowerPoint in order to install malware.

The phishing message containing a PPSX file | via Trend Micro

According to a report by security firm Trend Micro, the interface is commonly exploited by the use of malicious Rich Text File (RTF) documents. The new discovery, however, takes advantage of PowerPoint slideshows.

As is so often the case,, it all begins in a phishing email that contains an attachment. The message appears to be some sort of order request, with the attached file supposedly containing shipping details.

Looking closely, the provided document is a PPSX file. This is a type of PowerPoint file that only allows the playback of the slideshow, and is not editable. Should the receiver download and open it, the content will only display the text ‘CVE-2017-8570,’ a reference to a different vulnerability for Microsoft Office.

The file will instead trigger an exploit for the CVE-2017-0199 vulnerability, and will then start to infect the host computer, with malicious code being run through PowerPoint animations. Subsequently, a file called ‘logo.doc’ will be downloaded.

The document is actually an XML file with JavaScript code that runs a PowerShell command to download a new program called ‘RATMAN.exe.’ a trojanized version of a remote access tool called Remcos. A connection to a Command & Control server will be established after.

Remcos can record keystrokes, take screenshots, record videos and audio, and download even more malware. It can also give the attacker full control of the infected computer.

To make things worse, the malicious file uses an unknown .NET protector, which makes it difficult for security researchers to analyse it. Ultimately, since the detection methods for CVE-2017-0199 focuses on RTF files, the use of PowerPoint files allows attackers to evade antivirus detections.

Trend Micro does note, however, that Microsoft has already addressed the vulnerability back in April. This helps protect systems running the latest patches.

All things considered, cases like this emphasize the need to be careful in downloading not just email attachments, but also everything on the internet. It is also recommended to keep your software updated, in order to help block the latest attacks that could compromise the security of your computer systems.

Report a problem with article
Next Article

Elite: Dangerous hits 2.75 million in sales after its recent release on PlayStation 4

Logo and icon on Internet Explorer in blue on a dark background
Previous Article

The Microsoft Company Store will not be accessible via some older browsers after Sept. 1

Join the conversation!

Login or Sign Up to read and post a comment.

5 Comments - Add comment