How can I safely view the code of a VBA macro?

Question

I have received a phishing email with the usual bogus bill in the form of a Word document. I am curious about what the probable virus wants to do so I would like to inspect the code.

At the moment Word opens the docx in protected mode, and I am not going to disable that as I assume that the VBA macro would execute immediately.

I know that a VM might be a solution, but excluding that (I don't have one to hand), is there a simple way to see the macro code without executing it? I'm thinking something like open it in Notepad or similar. I know Notepad doesn't read .docx but along those lines.

Answer 1

Microsoft Office fileas are actually nothing but glorified zip files. If you change the extention to .zip you can extract the content. There you should find the file word\vbaProject.bin that contains the VBA macros. However, as the extention suggests, this file is binary and is not much help in letting you read the source code.

Fortunately Microsoft has published the specs for the format, and there are a number of programs that can help you. I have not tried any of them, but there is a nice list on Decalage. Check it out for more details! These are the programs listed there:

• olevba
• oledump.py
• officeparser.py
• OfficeMalScanner

A minor detail: A docx file should not contain a macro, as those are not allowed in docx files. According to Microsoft:

Word lets you save macros in two Word file types: a Word Macro-Enabled Document file (.docm) and a Word Macro-Enabled Template file (.dotm).

Answer 2

Upload it to VirusTotal. Not only will you find out how many antivirus programs detect it automatically and what their classification is, but on the "File Details" tab you can see the macro and VBA code embedded in the document.

Example (which I received several months ago in a message nearly identical to the one you describe): https://www.virustotal.com/en/file/099f9605c1960e20572109ec466e0c05cdea7a1c4a82fea4f44c3f6a4a94b2b3/analysis/1473176084/

Ok, this one was an old format Word Document (OLE Compound Document File), not the new ZIP+XML format. I'd be very surprised if the tools can't perform at least the same level of analysis on the DOCX.

Answer 3

• Regarding the check with VirusTotal, please be aware that only the first lines of each of the "Macros And VBA Code Streams" are displayed (details tab).
  • Just for example (this .dotm is reported like a malware, but I'm investigating it to understand if it's not): https://www.virustotal.com/gui/file/46dd48caaaf2a36902739ed1cc11b9f073f1b76fc27af4cfb2f0264ae1838f71/details
• Here other methods are explained: https://stackoverflow.com/questions/267607/how-can-i-find-out-what-a-macro-does-without-exposing-myself-to-it
  • But be aware that the Shift key does not prevent the execution of "ActiveX triggers" as explained here: http://www.decalage.info/vbashift so don't click "Enable Content" before you've investigated the macros.
  • This worked for me ("You can "enable editing" if asked, no macro will be executed") and doing this way I'm investigating a .dotm file: https://stackoverflow.com/a/35663074/6390099