Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Have you analyzed malicious Office documents with VBA macros? Did they contain a userform? Like this (MD5 4e0c55054c4f7c32aece5cfbbea02846):

Then take a look at the content of the stream with a name that ends with /o:

You can see that it contains a URL.

Sometimes you will analyze the VBA code of malicious documents, but not find the URL. That" />

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status