Discrepancies between VBA source code and p-code inside Office documents. Defender perspective: anomalies in file metadata streams, execution of Office processes loading macros without source code consistency, and script execution with no corresponding source metadata.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| MonitoredExtensions | Expand or restrict which Office file types (.docm, .xlsm, .pptm) are flagged for VBA project analysis. |
| TimeWindow | Correlate Office process execution with subsequent script execution within a narrow window. |
Execution of Wine or LibreOffice macros with inconsistent VBA metadata. Defender perspective: file analysis showing p-code embedded without matching source streams.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve calls to soffice.bin with suspicious macro execution flags |
| File Metadata (DC0059) | linux:syslog | Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp |
| Field | Description |
|---|---|
| ScannerTooling | Choice of OLE/P-code analysis utilities (oletools, pcodedmp, custom disassembler). |
Opening of Office files where VBA source code appears benign or missing, but p-code remains active. Defender perspective: process execution of Office apps with macro execution lacking visible source components.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts |
| File Metadata (DC0059) | macos:unifiedlog | Detection of altered _VBA_PROJECT or PerformanceCache streams |
| Field | Description |
|---|---|
| OfficeVersionScope | Adjust for specific Office versions in use across macOS endpoints. |