A practical guide for anyone who’s ever hovered over “Enable Content” and wondered if they should.<\/em><\/p>\n\n\n\n You receive an .xlsm file from a vendor, a colleague, or a download. It asks you to enable macros. Before you click that button, there’s a better question to ask: what does this macro actually do?<\/strong><\/p>\n\n\n\n This guide walks through a repeatable process for inspecting macro-enabled Office files \u2014 without running them first.<\/p>\n\n\n\n Macros are Visual Basic for Applications (VBA) programs embedded in Office documents. They can automate legitimate tasks like building Gantt charts or generating reports, but they can also execute system commands, download files from the internet, or exfiltrate data. The problem is that Office gives you no way to tell the difference before you enable them.<\/p>\n\n\n\n Making things worse: files can be password-protected<\/strong>, which locks the VBA editor inside Office and prevents you from reading the code through normal means. This is sometimes legitimate (vendors protecting IP), sometimes suspicious.<\/p>\n\n\n\n The good news is that password protection only blocks the Office UI \u2014 it doesn’t protect the underlying binary.<\/p>\n\n\n\n olevba<\/strong> is the primary tool. It’s part of the oletools Python package, developed by Philippe Lagadec, and it reads VBA source code directly from the file binary, bypassing password protection entirely.<\/p>\n\n\n\n Open a command prompt and run pip install oletools<\/strong>. That’s it.<\/p>\n\n\n\n Mac requires a couple of extra steps. macOS ships with Python 2 (or no Python at all on newer versions), and running pip install oletools will either fail or try to install into a system location Apple doesn’t want you touching.<\/p>\n\n\n\n Step 1: Install Python 3 via Homebrew<\/strong><\/p>\n\n\n\n If you don’t have Homebrew installed yet, open Terminal and run this command:<\/p>\n\n\n\n \/bin\/bash -c “$(curl -fsSL https:\/\/raw.githubusercontent.com\/Homebrew\/install\/HEAD\/install.sh)”<\/p>\n\n\n\n Then install Python 3 with brew install python3<\/strong> and verify with python3 –version<\/strong>.<\/p>\n\n\n\n Step 2: Create a virtual environment<\/strong><\/p>\n\n\n\n macOS will block pip install at the system level with an externally-managed-environment error. The fix is to install into a virtual environment instead \u2014 an isolated folder that doesn’t touch system Python at all.<\/p>\n\n\n\n Create the environment once with python3 -m venv oletools-env<\/strong>, then activate it with source oletools-env\/bin\/activate<\/strong>. Your prompt will change to show (oletools-env). Now run pip install oletools<\/strong>.<\/p>\n\n\n\n When you’re done, run deactivate<\/strong> to exit the environment. Next time you want to use olevba, just run source oletools-env\/bin\/activate<\/strong> first.<\/p>\n\n\n\n Run olevba your_file.xlsm<\/strong> replacing the filename with your actual file. This extracts all VBA modules and produces a summary table at the bottom flagging suspicious keywords. It looks something like this:<\/p>\n\n\n\n Type: AutoExec \u2014 Keyword: Workbook_Open \u2014 Runs when the Excel Workbook is opened<\/p>\n\n\n\n Type: Suspicious \u2014 Keyword: Shell \u2014 May run an executable file or system command<\/p>\n\n\n\n Type: Suspicious \u2014 Keyword: CreateObject \u2014 May create an OLE object<\/p>\n\n\n\n Type: IOC \u2014 Keyword: https:\/\/example.com \u2014 URL<\/p>\n\n\n\n Don’t panic at this table. Every flag needs to be read in context \u2014 a Shell call that opens a saved PDF is very different from one that executes a downloaded payload.<\/p>\n\n\n\n The summary table tells you what keywords exist<\/em>. The code tells you what they do<\/em>. Scroll up from the summary and read through each module.<\/p>\n\n\n\n Here’s what to look for:<\/p>\n\n\n\n These run automatically without any user interaction. The function is called Workbook_Open and it executes the moment macros are enabled. Pay close attention to Workbook_Open, Auto_Open, and Document_Open \u2014 these are the entry points. Start reading here.<\/p>\n\n\n\n This is the most dangerous class of behavior. A legitimate use opens a known application like Windows Explorer with a file path. A suspicious one passes an encoded string to PowerShell \u2014 something like Shell “powershell -enc ” & encodedCommand<\/strong>. Encoded PowerShell is a significant red flag. It means the author is deliberately hiding what’s being executed.<\/p>\n\n\n\n Code that creates a WinHttpRequest object and calls a URL isn’t automatically malicious \u2014 license validation, version checks, and telemetry are common. The question is: what URL, and what data is being sent?<\/strong> Check whether any sensitive data like usernames, file contents, or environment variables is included in the request.<\/p>\n\n\n\n Legitimate code rarely needs to hide itself. Watch for long chains of Chr() calls building strings character by character, Base64-encoded strings being decoded at runtime, and variables with meaningless names holding fragments of a URL or command. For example, a string of Chr() calls decoding to “powershell” is a serious warning sign. Run olevba –decode<\/strong> to attempt automatic deobfuscation.<\/p>\n\n\n\n olevba sometimes flags VBA Stomping<\/strong> \u2014 a condition where the stored source code and the compiled P-code differ. This matters because Office can execute either version, and they may not do the same thing. When detected, the summary will flag it as suspicious with the message “VBA source code and P-code are different.”<\/p>\n\n\n\n This has two common explanations:<\/p>\n\n\n\n Context matters here. A stomped file from a known vendor with a plausible business reason is very different from a stomped file that arrived via email from an unknown sender.<\/p>\n\n\n\n After reading the code, here are the things that should genuinely concern you, regardless of context:<\/p>\n\n\n\n And here are things that look suspicious but usually aren’t:<\/p>\n\n\n\n If the file is from an untrusted source or contains something you still can’t explain after reading the code, use these additional steps:<\/p>\n\n\n\n Run in an isolated environment.<\/strong> A virtual machine with no network access and no access to your real files is the safest way to observe runtime behavior. Tools like Any.run<\/a> or Cuckoo Sandbox<\/a> can automate this.<\/p>\n\n\n\n Rename and extract.<\/strong> .xlsm files are ZIP archives. Change the extension to .zip, extract, and look at xl\/vbaProject.bin alongside the XML files in xl\/. You can sometimes find hardcoded strings, URLs, or file paths that aren’t obvious in the VBA source.<\/p>\n\n\n\n
\n\n\n\n
\n\n\n\nWhy This Matters<\/h2>\n\n\n\n
\n\n\n\nWhat You’ll Need<\/h2>\n\n\n\n
Windows<\/h3>\n\n\n\n
Mac \u2014 Read This First<\/h3>\n\n\n\n
\n\n\n\nStep 1: Run the Basic Scan<\/h2>\n\n\n\n
\n\n\n\nStep 2: Read the Actual Code<\/h2>\n\n\n\n
AutoExec Triggers<\/h3>\n\n\n\n
Shell and Command Execution<\/h3>\n\n\n\n
Network Activity<\/h3>\n\n\n\n
Obfuscation<\/h3>\n\n\n\n
\n\n\n\nStep 3: Understand VBA Stomping<\/h2>\n\n\n\n
\n
\n\n\n\nStep 4: Check for the Real Red Flags<\/h2>\n\n\n\n
Finding<\/th> Why It’s Concerning<\/th><\/tr><\/thead> Encoded PowerShell (-enc, -encodedCommand)<\/td> Actively hiding executed commands<\/td><\/tr> Downloads to %TEMP% then executes<\/td> Classic dropper behavior<\/td><\/tr> Reads Office credentials or saved passwords<\/td> Data theft<\/td><\/tr> Sends data to an unexpected external URL<\/td> Exfiltration<\/td><\/tr> CreateObject(“Scripting.FileSystemObject”) writing files<\/td> Persistent malware installation<\/td><\/tr> Multiple layers of deobfuscation<\/td> Evasion of security tools<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Finding<\/th> Likely Explanation<\/th><\/tr><\/thead> Shell opening a known application<\/td> Opening exported files, launching browser<\/td><\/tr> CreateObject(“WinHttp…”)<\/td> License validation, update checks<\/td><\/tr> Environ(“computername”)<\/td> License tying, telemetry<\/td><\/tr> Mac-specific popen \/ libc.dylib calls<\/td> Cross-platform compatibility code<\/td><\/tr> VBA Stomping on a commercial product<\/td> Vendor IP protection<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nStep 5: For High-Stakes Files, Go Further<\/h2>\n\n\n\n