Last week, I wrote a diary about a malicious PowerPoint add-on[1] and I concluded by saying that I was not able to continue the investigation because the URL found in the macro pointed to a blogspot.com URL. Ron, one of our readers, found that this page was indeed malicious and contained some piece of JavaScript executed by mshta.exe. The document discovered by Ron was not identical to mine (the macro slightly changed) but it pointed to the same URL (the blog has been closed by Blogger in the meantime). How did I miss this simple piece of JavaScript? I don't know but thanks to Ron for sharing the nice document[2]. Very interesting read! [1] https://isc.sans.edu/forums/diary/Malicious+PowerPoint+AddOn+Small+Is+Beautiful/27342/ Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler Apr 28th 2021 |
Thread locked Subscribe |
Apr 28th 2021 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!