LetsDefend : Malicious VBA


One of the employees has received a suspicious document attached in the invoice email. They sent you the file to investigate. You managed to extract some strings from the VBA Macro document. Can you refer to CyberChef and decode the suspicious strings?

Please, open the document in Notepad++ for security reasons unless you are running the file in an isolated sandbox.

Tools used:

  • Strings
  • Cyberchef
  • Google as always

Malicious code is inserted into data files, such as spreadsheets and documents, by macro viruses. By using a any strings tool we can see certain aspects of the visual basic code. However it isn’t in clear text and clearly obfuscated. We need first to identify the obfuscated commands. The yellow parts or common VBA syntax and the green are the obfuscated text.

After some trial and error we are able to see the clear text with the Charcode decoder.

Question 1

The document initiates the download of a payload after the execution, can you tell what website is hosting it?

Question 2

What is the filename of the payload (include the extension)?

Question 3

What method is it using to establish an HTTP connection between files on the malicious web server?

Question 4

What user-agent string is it using?

Question 5

What object does the attacker use to be able to read or write text and binary files?

Question 6

What is the object the attacker uses for WMI execution? Possibly they are using this to hide the suspicious application running in the background.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: