Analyzing Macro Malware in Office Documents

When to Use

• A suspicious Office document (.doc, .docm, .xls, .xlsm, .ppt) has been flagged by email security
• Investigating phishing campaigns that deliver weaponized Office documents
• Extracting VBA macro code to identify the payload download URL and execution method
• Analyzing obfuscated VBA code to understand the full attack chain
• Determining if a document uses DDE, ActiveX, or remote template injection instead of macros

Do not use for analyzing non-macro Office threats (DDE, remote template injection); while this skill covers detection of these, specialized analysis may be needed.

Prerequisites

• Python 3.8+ with oletools installed (pip install oletools)
• oledump.py from Didier Stevens (https://blog.didierstevens.com/programs/oledump-py/)
• Isolated analysis VM without Microsoft Office installed (prevents accidental execution)
• XLMDeobfuscator for Excel 4.0 macro analysis (pip install xlmdeobfuscator)
• LibreOffice for safe document rendering (does not execute VBA macros by default)