This is another Office document infection that can occur without the benefit of Macros. The active malware associated with this exploit is called “Zusy” and affects Microsoft PowerPoint.
The infection occurs when the mouse is moved over (Mouse-Over) a warning hyperlink. PowerPoint inexplicably invokes PowerShell, allowing the exploit to install.
When the user opens the file, a popup message appears that says, “Loading … Please Wait,”. Moving the mouse over the popup message to check the hyperlink causes the Zusy infection; no clicking required!
However, the newest scam contains a hyperlink that, if hovered over, will trigger a command that infects the computer with the Zusy malware, no clicking required. The Mouse-Over causes PowerShell to download the malicious JavaScript Executable (.jse) That, in turn, downloads the Zusy payload.
Zusy is propagated by spam email and will include subject lines like “Purchase Order #” or “Confirmation“. Those messages will have a PowerPoint file attached that have a name like “order.ppsx”, “invoice.ppsx” or “order&prsn.ppsx”.
Again, people should exercise some common sense. How many invoices or orders do you get via a PowerPoint presentation? Infections will be more likely to occur in older versions of Office, like Office 2007. An updated anti-virus/anti-malware program will likely stop this infection as well.
There is a good write-up on this malware at Kaspersky’s ThreatPost.