Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.
The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.
The VBA macro downloads base64 encoded scripts from Pastebin:
The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.
The URL of the payload comes from another Pastebin entry:
Correct: that trojan is hosted on Dropbox.
Didier Stevens 
Saw that yesterday myself. Here is a report for such a sample: https://www.hybrid-analysis.com/sample/f42608e8d6c614a85c14f423a9acbd902d4d7b54b3c93decf48adea3f1bdf63c?environmentId=2
Comment by Anonymous — Thursday 9 April 2015 @ 7:22
.BAT==>>.VBS==>>.PS1
Comment by Yogesh — Thursday 9 April 2015 @ 7:30
To be precise, it is VBA -> BAT -> VBS -> PS1 -> EXE on Windows Vista and later.
On Windows XP, it is VBA -> BAT -> (VBS; EXE)
Comment by Didier Stevens — Thursday 9 April 2015 @ 13:20
[…] Kaufprodukte, sind dagegen sicher. Der Trick: Im Office Dokument (Text, Tabelle, Präsentation) steckt nur ein klitzekleiner unauffälliger Downloader als VBA Makro. Der holt sich den für die Infektion notwendigen Code von Pastebin, der wiederum die […]
Pingback by Neue Gefahr durch MS-Office Trojaner | pc-flüsterer bremen — Saturday 11 April 2015 @ 18:26