Zusy PowerPoint Malware does not need Macros to spread


Malware often comes in a package that looks harmless. As soon as the victim clicks on it, malware starts spreading like an open can of worms and takes control of the victim’s PC. Typically, in such attacks, when the user enables the Macros, the malware gets executed. However, it seems the new malware doesn’t even require the macros packaging for it to spread. One of such latest threat is Zusy PowerPoint Malware. As the name suggests, this malware spreads through PowerPoint attachments.


Office Macros are basically small bits of code written in Visual Basic (VBA), that allow you to carry out select repetitive tasks. They are useful by themselves, but many a times malware writers misuse this functionality to introduce malware into your computer system.

A Macro virus is a virus that takes advantage of Macros that run in Microsoft Office applications such as the Microsoft Word, PowerPoint or Excel. Cyber criminals send you a macro-infested payload or a file which will later on download a malicious script, via email and use a subject line that interests or provokes you into opening the document. When you open the document, a macro runs to execute whatever the task the criminal wants.

Zusy PowerPoint Malware

As reported by SentinelOne Labs, Zusy PowerPoint Malware is spreading as a PowerPoint file attached to spam emails with titles like “Purchase Order #130527” and “Confirmation”. As mentioned before, this malware doesn’t require the user to enable macros to execute. Most Office malware need users to activate the macros to download some executable payload, which does most of the malicious stuff. However, Zusy PowerPoint Malware uses an external program feature to spread its malicious activities.

SentinelOne Labs gives the sample details of the Zusy Malware. These are as follows:

Sample SHA256es:

  • PowerPoint dropper: 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921.
  • First-stage JSE payload: 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302
  • Second-stage EXE payload 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef

Their report also mentions how Zusy malware works:

When the user opens the malicious PowerPoint file, it shows a screen with a single link that says “Loading…Please wait”:

When the user hovers over the URL the malware comes into action. Only hovering causes PowerPoint to execute an external program. SentinelOne Labs mentions, it’s powershell plus a small script which downloads an additional payload.

But, the malware doesn’t start spreading or even the code doesn’t execute automatically as soon as the file is opened. Users get a severe warning from both Office 2013 and Office 2010 by default. The malware comes into action only when users enable external programs; because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros.

The interesting part is the PowerPoint viewer doesn’t seem to be vulnerable at all because it refuses to execute the program. The Zusy PowerPoint Malware gets executed through a shell command.

SentinelOne Labs is still investigating this malware in more details. Users are suggested not opening any unknown or suspicious Office attachment to avoid the attack of any such malware. For more information on Zusy PowerPoint Malware, read the report by SentinelOne Labs.