SUSP_VBA_Dropper_Feb26

Rule Info

Name
SUSP_VBA_Dropper_Feb26
Author
MalGamy
Description
Detects malicious VBA macros implementing string obfuscation and used to drop malicious payloads
Score
70
Reference
https://www.group-ib.com/blog/muddywater-operation-olalampo/
Date
2026-02-20
Minimum Yara
3.5.0
Rule Hash
c571e66327fc13a7e41632a729def58a
Tags
['SCRIPT', 'OBFUS', 'SUSP']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_vba_dropper_feb26/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
2
Suspicious (< 10 engines)
4
Clean (0 engines)
0

Rule Matches

Timestamp
Positives
Total
Hash
VT
2026-05-22 04:27:14
2
58
764e3582ea592c47f32f231e298137007f7ca9c1d2abac604d137cc55d1f90cd
2026-05-22 04:27:04
1
62
210b06bd6a613caf4964a60ee8920d7423465338071c939f94fe62c9ac9a32ef
2026-03-19 07:06:57
13
56
20e7b9dcf954660555d511a64a07996f6178f5819f8501611a521e19fbba74b0
2026-03-07 22:11:54
14
63
a00f17de6adce01fa48a4b33c63e2213c0e038be49d46a01f1304a8b21216b57
2026-03-06 13:41:24
6
62
a9075d8f8457e50bb82b6f0c72fb2b2c3fc3c45f7d9d8543e9c2a109daf8e846
2026-03-04 06:45:25
1
63
e51bda99da82965fe8203c773a144ca9dc1bb39225f6bac369b47cc90b7c9137

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022