PowerPoint Files Abused to Take Over Computers


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
Attackers are using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer, researchers have found.

It’s one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate. New research from Avanan, a Check Point company, has uncovered how a “little-known add-on” in PowerPoint – the .ppam file – is being used to hide malware. Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, wrote in a report published Thursday that the file has bonus commands and custom macros, among other functions.

Beginning in January, researchers observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent.

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top Poster
Dec 23, 2014
Has Microsoft produced a patch yet for these attacks?

PPAM file is the PowerPoint Add-in. So, it can have executable content (often a VBA macro) that is run by PowerPoint - this cannot be simply patched. The AVs can detect the attack by standard actions (using signatures, behavior-detections, AMSI, etc.). One can block the infection chain via HIPS, ASR, SRP, etc. You can also harden the MS Office application by:
  1. Disabling all Add-ins via Registry or GPO.
  2. Disabling VBA in MS Office via Registry or GPO.
  3. Disassociating the PPAM extension from PowerPoint.
  4. Applying Exploit protection mitigation related to child processes.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.