Since a couple of days, malware is being distributed through URLs in PowerPoint Show (.ppsx) files.
A PowerPoint Show file immediately starts a presentation when the attachment is opened. The presentation used to distribute malware consists of a single sheet containing a link. However, this is not a normal link. The link starts a script on the local machine.
Note: The link does not start the script (only) when it is clicked. The script also starts when the mouse moves over the link.
On most systems managed by LISA, the configuration protects against running that script. However, we can not guarantee that for all systems.
Never open attachments from unknown sources.
For questions, please contact CERT-UT via (+31 53 489) 1313 and via firstname.lastname@example.org.