In a nutshell:

The ACCDE format is rarely abused by attackers: not a single ACCDE file uploaded to VirusTotal in the last 90 days has a malicious verdict.

VBA macros were compiled to p-code and execodes, complicating static analysis, but dynamic analysis still reveals malicious behavior

Dropped PE file (“MW-Black-Shell”, only 5/75 on VirusTotal) connects to C2 and keeps waiting for commands to execute

The PE file is not stored in the macros but in a table in the database

Schedules itself to be executed at specific times (e.g., daily at 9:30)

Sample SHA256: 615727e8ed031ca82ae1799893d7b42831f3ed86a1dbc5b4f654d2b5646808b5