Microsoft researchers recently detected a file containing a VBA project that scripts a malicious macro.

A piece of malware that targets Office (dubbed TrojanDownloader:O97M/Donoff) has been active for years, but within VBA modules, which appear to be legitimate SQL programs engaged by a macro, the researchers discovered a “a strange string in the Caption field for CommandButton3 in the user form.” This seemed to be an encrypted string, so on further investigation found “something unusual” in Module2.

“A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the default autoopen() macro to run the entire VBA project when the document is opened.”

This will link to a URL (hxxp://<uniqueid>) and download a malicious payload – Ransom:Win32/Locky.

Microsoft advises that to prevent macro-based malware, Office users only engage self-written macros or those known to come from trusted sources.