Analyzing Macro Malware in Office Documents When to Use - A suspicious Office document (.doc, .docm, .xls, .xlsm, .ppt) has been flagged by email security - Investigating phishing campaigns that deliver weaponized Office documents - Extracting VBA macro code to identify the payload download URL and execution method - Analyzing obfuscated VBA code to understand the full attack chain - Determining if a document uses DDE, ActiveX, or remote template injection instead of macros Do not use for analyzing non-macro Office threats (DDE, remote template injection); while this skill covers detection of…