\nMacros are a series of commands that can be run automatically to perform a task. Macro code is embedded in Office documents written in a programming language known as Visual Basic for Applications (VBA). Macros could be used maliciously to drop malware, download malware, etc. Malicious macro files usually are received in Word documents or Excel spreadsheets but other formats do exist though I have never encountered them. Once a malicious document is opened only a single click is next required for the macro code to run.<\/p>\n
![\"\"](\"\/images\/macrowarning.png\")
<\/p>\n
Automating Macros<\/strong> Below is an example in Word document where AutoOpen() subroutine is set in Modules-NewMacros<\/p>\n The macros could also be added in the “ThisDocument” section and then NewMacros section is not really required<\/p>\n Similarly in Excel the subroutine Workbook_Open() would be in the “ThisWorkbook” section and the Module1 section is not required<\/p>\n What to look for<\/strong>
\nVisual Basic has reserved names for launching code when documents are opened. These names are the key to detect possible malicious code. Sometimes are used for legitimate purposes but generally we should consider them dangerous. For Word the reserved names that could be used maliciously are AutoOpen()<\/strong> and Document_Open()<\/strong> and for Excel the reserved names are Auto_Open()<\/strong> and Workbook_Open().<\/strong> These days malicious documents are using AutoOpen() and Auto_Open() but Document_Open() and Workbook_Open() could also be used.<\/p>\n![\"\"](\"\/images\/autoopen_macro.png\")
<\/p>\n![\"\"](\"\/images\/document_open_macro.png\")
<\/p>\n![\"\"](\"\/images\/workbook_open_macro.png\")
<\/p>\n![\"\"](\"\/images\/auto_open_macro.png\")
<\/p>\n
\nBelow is a table of the kind of strings to search for based on the extension and file format.<\/p>\n
![\"\"](\"\/images\/macroxml.png\")
<\/p>\n![\"\"](\"\/images\/mhttoxlswarning.png\")
<\/a><\/p>\n