There are a couple of interesting aspects to this document. The first, that I will point out here, is that the VBA code is quite simple.
The code is quite short. And there is string obfuscation.
In this diary, I’m not going to analyze this document.
If you are interested, I’m challenging you to analyze it. I’ve copied the code you see above to pastebin, so that you can have a go at it without needing the actual malware sample.
If you participate, please post a comment with your solution. I’m particularly interested in your analysis method, rather than the deobfuscated command.
Have fun 🙂
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.