Amidst the raucous PPT 0day that’s been happening around lately, we now just have received reports of a malware that comes as Microsoft PowerPoint file attached in emails that may have been spammed in a possible targeted attack.

The Powerpoint file comes as an attachment with a filename using Chinese characters, and when translated, can mean “2006 China Army Organization Regulation”. See the snapshot below.

The malware has a filesize of 8,704 bytes and will connect to a site registered in the China region, and download an index.exe file. As of this time, the site is probably down.

The downloader shellcode can be seen in the file by XORing with 0xEE. We are still analyzing the file to see if any codes match in any way with the 0day POCs for PPT posted recently. If not, this could be considered a new 0day.

More information about this malware: TROJ_MDLOAD.A.