Suspicious Patterns:

• 50–500 KB (macro droppers)
• 1–2 embedded objects
• vbaProject.bin present
• External template reference
• Very recent creation/modification timestamps
• AutoOpen / Document_Open macros

Identify

file sample.docx

Confirm:

• Is it actually Word?
• Or renamed ZIP?
• Or RTF?

Enumerate

(DOCX = ZIP)

unzip -l sample.docx

Look for:

• word/vbaProject.bin
• word/_rels/
• docProps/core.xml
• embeddings/
• customXml/

Extract Safely (No Execution)

7z x sample.docx -oextracted_doc

# OR targeted extraction:

unzip sample.docx word/vbaProject.bin  
unzip sample.docx docProps/core.xml

Hunt

Common malicious DOC patterns:

• vbaProject.bin
• Auto-execution functions:
  • AutoOpen
  • Document_Open
• CreateObject
• WScript.Shell
• PowerShell
• Base64 blobs
• URLDownloadToFile
• Hardcoded URLs

# Inspect macro content
strings word/vbaProject.bin | less

# Hunt URLs
strings word/vbaProject.bin | grep -i http

# Hunt PowerShell
strings word/vbaProject.bin | grep -i powershell

Metadata

unzip -p sample.docx docProps/core.xml

Check:

• <dc:creator>
• <cp:lastModifiedBy>
• Creation vs modification delta
• Company field

Red flags:

• Random author
• Blank metadata
• Created and modified within seconds

Macros

# If you see "word/vbaProject.bin" = Macros Present

unzip -l sample.docx | grep -i vba

# Hunt

# Execution
strings word/vbaProject.bin | grep -i auto  
strings word/vbaProject.bin | grep -i open
strings word/vbaProject.bin | grep -i shell  
strings word/vbaProject.bin | grep -i createobject  
strings word/vbaProject.bin | grep -i wscript

# Connection
strings word/vbaProject.bin | grep -i http

# Obfuscation
strings word/vbaProject.bin | grep -i chr  
strings word/vbaProject.bin | grep -i split  
strings word/vbaProject.bin | grep -i strreverse

Look for:

• Shell
• CreateObject
• WScript.Shell
• cmd.exe
• powershell
• URLs / IPs
• Chr(65)
• StrReverse
• Split
• Auto-execution entry points
  • AutoOpen
  • Document_Open
  • Workbook_Open