Researchers have found latest Agent Tesla malware, focusing on its newest infection chain, which uses a long and complex process to deliver the final payload. It starts with a phishing email with an RTF attachment. This RTF document contains file embedded OLE objects, which in turn each contain an OOXML package. Users are prompted by each of these objects to enable macros in order to execute the VBA code inside the OOXML packages. The VBA code is highly obfuscated to the point that it was unable to be analyzed by malware analysis tools. Manual debugging shows that, in combination, the VBA code parts build a PowerShell blob. This PowerShell is also obfuscated to hinder analysis. It has two purposes: bypass AMSI and download a file. The downloaded file is an Agent Tesla executable. It first establishes persistence via a scheduled task. It then disables task manager. Finally, it steal WiFi passwords and application credentials. These credentials are exfiltrated via SMTP using a hardcoded email address and password. The researchers note that a similar infection chain has been seen in the past, but it was previously distributing Lokibot.