Detect a MS Office document with embedded VBA macro code

Hunt Hypothesis

Adversaries may embed VBA macros in MS Office documents to execute malicious code and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware delivery vectors and early-stage compromise indicators.

YARA Rule

rule Contains_VBA_macro_code
{
	meta:
		author = "evild3ad"
		description = "Detect a MS Office document with embedded VBA macro code"
		date = "2016-01-09"
		filetype = "Office documents"

	strings:
		$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
		$zipmagic = "PK"

		$97str1 = "_VBA_PROJECT_CUR" wide
		$97str2 = "VBAProject"
		$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_

		$xmlstr1 = "vbaProject.bin"
		$xmlstr2 = "vbaData.xml"

	condition:
		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Automated report generation using Microsoft Excel templates
  Description: A scheduled job runs a script that generates reports using Excel templates with embedded VBA macros for automation.
  Filter/Exclusion: Exclude files created by the Power BI Report Builder or files with a CreatedBy field indicating a known reporting tool.

• Scenario: System maintenance script using Word document macros
  Description: An admin task uses a Word document with VBA macros to automate system cleanup or configuration changes.
  Filter/Exclusion: Exclude files with a DocumentSummaryInfo field indicating they are used for administrative tasks, or files located in the C:\Windows\System32 directory.

• Scenario: Legacy application compatibility testing
  Description: A QA team uses an old MS Word document with VBA macros to test compatibility with legacy applications.
  Filter/Exclusion: Exclude files with a LastModified timestamp older than 5 years, or files associated with a known QA tool like TestComplete.

• Scenario: Email signature generation using VBA
  Description: A company uses a VBA macro in an Outlook email template to dynamically generate email signatures based on user data.
  Filter/Exclusion: Exclude files with a Subject field containing “Email Signature” or files stored in the Outlook Profiles directory.

• Scenario: Document automation via Microsoft SharePoint
  Description: A SharePoint workflow uses VBA macros embedded in Word documents to automate data population from a database.
  Filter/Exclusion: Exclude files with a Source field indicating they are from a SharePoint document library, or files with a Content Type of “Document Automation”.