More importantly, the malware does not infect the system in a traditional way, such as macros or other scripts, but rather by hiding it in PowerPoint files. When the user opens the document, it will see “Loading … Please Wait” in the slide. When the user moves the cursor over the hyperlink, the PowerShell code contained in the file will be triggered even if the user does not click.
If the victim moves, the PowerShell code will be executed and connected to the site “cccn.nl”. Then the malware will download the file from the domain name and execute it, eventually deploy the malicious program downloader.