Back to Sandbox
MEDIUM / HIGH OBSERVED File Inspection
/sandbox/findings/vba-macro-stream

VBA Macro Stream

The file contains a VBA macro stream — embedded code that executes when the user enables macros in Microsoft Office.

Visual Basic for Applications (VBA) is a scripting language embedded in Microsoft Office documents. When macros are enabled by the user, VBA code runs inside the Office process with the same permissions as the user. Macro code can read and write files, make network connections, spawn processes, and call Windows APIs — all from within a document.

The macro stream is the compiled VBA bytecode stored inside the document file. ShieldScope detects its presence structurally — it does not read, decompile, or execute the code.

Format Extension Storage location
Open XML (OOXML) .docm, .xlsm, .pptm vbaProject.bin inside the ZIP container
Legacy binary .doc, .xls, .ppt OLE2 compound document streams (VBA/ directory)
Standard OOXML .docx, .xlsx, .pptx Should not contain macros — presence of vbaProject.bin is unexpected

A .docx file (which should not be macro-enabled by design) that contains a vbaProject.bin entry is particularly suspicious — it may have been crafted to bypass controls that only block macro-enabled extensions.

Office macro malware has been one of the most consistent and effective initial access vectors in enterprise environments for decades. Macro-enabled documents are delivered via phishing email, compromised file shares, or malicious downloads — typically with social engineering designed to convince the recipient to click "Enable Content."

Once macros run, common behaviors include: downloading and executing a secondary payload (dropper pattern), establishing persistence via registry or scheduled task, exfiltrating data to an attacker-controlled server, or spawning a command-and-control agent. The macro is rarely the final payload — it is the delivery mechanism for something else.

Microsoft disabled macros from internet-sourced files by default in 2022 (via Mark of the Web enforcement). This reduced — but did not eliminate — macro-based attacks. Files from internal sources, shared network drives, or channels that strip the internet zone flag remain at risk. Attackers have also adapted with techniques that bypass MOTW, including ISO containers and other archive formats.

DETECTION METHOD
For OOXML formats (.docm, .xlsm, and unexpectedly .docx/.xlsx), ShieldScope inspects the ZIP file index for the presence of vbaProject.bin. For legacy OLE2 binary formats (.doc, .xls), ShieldScope parses the compound document header (D0 CF 11 E0 magic bytes) and inspects the stream directory for VBA-related entries. No macro code is read, decompiled, or executed at any stage.
OBSERVED

The macro stream is structurally present in the file and directly observable from the file index or compound document directory — no pattern matching or heuristics are involved. ShieldScope detects the stream's existence; it cannot determine whether the macro content is malicious without executing or decompiling the code. The observation is: a VBA macro stream is present. The inference that it may be malicious is supported by context, not claimed as fact.

  • Do not enable macros unless you specifically requested a macro-enabled document from a trusted source and have confirmed its provenance through an out-of-band channel (not reply email).
  • If the file arrived via email, treat it as a phishing attachment. Macro-enabled Office files sent unsolicited are a primary delivery mechanism for ransomware and remote access trojans.
  • For files from internal systems — confirm with the sender directly (by phone or separate message) that the macro functionality is intentional and expected before enabling it.
  • Submit to a dynamic sandbox (any.run, VirusTotal, Hybrid Analysis) for behavioral analysis if you need to understand what the macro does without running it on a production system.
  • Check organizational policy — most enterprise environments should have macro execution disabled via Group Policy for non-trusted locations. If your environment allows macros from email attachments, this is a configuration risk independent of this specific file.
↗ Inspect a file in Sandbox