Office document with embedded VBA

Hunt Hypothesis

Office documents containing embedded VBA macros may indicate an attempt to deliver malicious code through document-based attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or malware delivery vectors that bypass user macro restrictions.

YARA Rule

rule office_document_vba : maldoc
{
	meta:
		description = "Office document with embedded VBA"
		author = "Jean-Philippe Teissier / @Jipe_"
		date = "2013-12-17"
		reference = "https://github.com/jipegit/"

	strings:
		$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
		$zipmagic = "PK"

		$97str1 = "_VBA_PROJECT_CUR" wide
		$97str2 = "VBAProject"
		$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }

		$xmlstr1 = "vbaProject.bin"
		$xmlstr2 = "vbaData.xml"

	condition:
		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://github.com/jipegit/
• Source Rule

False Positive Guidance

• Scenario: A system administrator uses Microsoft Word to generate a report template with embedded VBA for automation.
  Filter/Exclusion: Exclude documents created by the Administrator user or those with a file extension like .dotx (template files).

• Scenario: A Power Automate flow is configured to generate a Word document with VBA macros for data population.
  Filter/Exclusion: Exclude files created by the Power Automate service account or those with a source IP address from the Microsoft cloud infrastructure.

• Scenario: A scheduled job runs a Python script using python-docx to generate a Word document with embedded VBA for internal reporting.
  Filter/Exclusion: Exclude files generated by processes running under a specific service account or with a known source IP address used for automation.

• Scenario: A third-party tool like Aspose.Words is used to generate Word documents with VBA macros for legacy system compatibility.
  Filter/Exclusion: Exclude files generated by processes associated with the Aspose.Words application or with a specific process name or parent process.

• Scenario: A development team uses Visual Studio to create and test VBA macros in a shared Word document for internal testing.
  Filter/Exclusion: Exclude files modified by users in the Development group or those with a specific file path in a development directory.