PowerPoint has a number of add-on files that add features and capabilities. One of these is the .ppam file.  

A little-known add-on, it has bonus commands and custom macros, among other functions. 

Now, this file is being used by hackers to wrap executable files. 

Starting in January 2022, Avanan observed how the .ppam file is being used to wrap executable files that allow the attacker to take over the end-user’s computer. In this attack brief, Avanan will analyze how .ppam files are being utilized by hackers. 


In this attack, hackers are utilizing .ppam files to wrap dangerous executable files.  

  • Vector: Email
  • Type: Malicious File 
  • Techniques: .ppam executables
  • Target: Any end-user



In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten.

Email Example #1

In this email, an innocent-looking purchase order is sent.

This email seems like a standard purchase order email that’s typically used for phishing. The danger lies in the attachment. 


Email Example #2

The .ppam file, as analyzed by Check Point’s Sandblast, is indeed malicious:


This overview shows the dangers associated with the file, as well as how it works.


This overview describes exactly how the file will take over the end-user’s computer. 


In this email attack, hackers found a way to leverage a little-known file to wrap executable files. Using .ppam files, a PowerPoint add-on file, hackers can wrap, and thus hide, malicious files. In this case, the file will overwrite the registry settings in Windows, allowing the attacker to take control over the computer, and keep itself active by persistently residing in the computer's memory.

In doing so, hackers have found a way to bypass existing security (in this case Google) with a file that's rarely used. Plus, it shows the potential dangers of this file, as it can be sued to wrap any sort of malicious file, including ransomware. In October, for example, it was reported that a .ppam file was used to wrap ransomware. While the attack described here describes something different, it shows the potential of the extension to wrap and hide dangerous files. By combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content
  • Because phishing is the leading cause of ransomware, implement security that can dynamically analyze emails for Indicators of Compromise. This email failed an SPF check and there was an insignificant historical reputation with the sender
  • Encourage end-users to reach out to IT when seeing an unfamiliar file

Subscribe to Our Attack Briefs for More Research