analyzing-macro-malware-in-office-documents

# Analyzing Macro Malware in Office Documents ## When to Use - A suspicious Office document (.doc, .docm, .xls, .xlsm, .ppt) has been flagged by email security - Investigating phishing campaigns that deliver weaponized Office documents - Extracting VBA macro code to identify the payload download URL and execution method - Analyzing obfuscated VBA code to understand the full attack chain - Determining if a document uses DDE, ActiveX, or remote template injection instead of macros **Do not use** for analyzing non-macro Office threats (DDE, remote template injection); while this skill covers detection of these, specialized analysis may be needed. ## Prerequisites - Python 3.8+ with oletools installed (`pip install oletools`) - oledump.py from Didier Stevens (https://blog.didierstevens.com/programs/oledump-py/) - Isolated analysis VM without Microsoft Office installed (prevents accidental execution) - XLMDeobfuscator for Excel 4.0 macro analysis (pip install xlmdeobfuscator) - LibreOffice for safe document rendering (does not execute VBA macros by default) ## Workflow ### Step 1: Initial Document Triage Determine if the document contains macros or other active content: ```bash # Quick triage with olevba olevba suspect.docm # Check for OLE streams and macros oleid suspect.docm # Output indicators: # VBA Macros: True/False # XLM Macros: True/False # External Relationships: True/False (remote template) # ObjectPool: True/False (embedded objects) # Fla...