High Severity

Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation

Labels

Malware/Ransomware

Macros

Description

Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.

References

https://blog.f-secure.com/dechaining-macros-and-evading-edr/

https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec

@ajpc500

Created Aug 17th, 2023 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_macros
          or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
          )
        )
        and any(file.explode(.),
                any(.scan.strings.strings,
                    strings.ilike(., "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*")
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.