Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.
The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.
The VBA macro downloads base64 encoded scripts from Pastebin:
The scripts are delimited by HTML-like tags like
The URL of the payload comes from another Pastebin entry:
Correct: that trojan is hosted on Dropbox.