The presence of an AutoOpen macro in a Microsoft Office file indicates potential exploitation of macro-based malware execution, which adversaries use to deliver payloads without user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that bypass traditional detection methods.
YARA Rule
rule Office_AutoOpen_Macro : maldoc {
meta:
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
author = "Florian Roth"
date = "2015-05-28"
score = 60
hash1 = "4d00695d5011427efc33c9722c61ced2"
hash2 = "63f6b20cb39630b13c14823874bd3743"
hash3 = "66e67c2d84af85a569a04042141164e6"
hash4 = "a3035716fe9173703941876c2bde9d98"
hash5 = "7c06cab49b9332962625b16f15708345"
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
hash7 = "25285b8fe2c41bd54079c92c1b761381"
strings:
$s1 = "AutoOpen" ascii fullword
$s2 = "Macros" wide fullword
condition:
uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator uses Microsoft Word to generate a template document with an AutoOpen macro for automated report generation.
Filter/Exclusion: Exclude files created by the Microsoft Word Template Generator tool or files with a .dotx extension used for templates.
Scenario: A scheduled job runs a PowerShell script that opens an Excel file using COM automation, which triggers the AutoOpen macro as part of the automation process.
Filter/Exclusion: Exclude files accessed by the Scheduled Task: Excel Automation Job or files opened via COM automation from the PowerShell process.
Scenario: A developer uses Microsoft Excel to create a macro-enabled workbook that includes an AutoOpen macro for data validation, which is used in a shared team environment.
Filter/Exclusion: Exclude files with the Developer Mode flag set or files modified by the Microsoft Excel Developer Tools.
Scenario: A user opens a Microsoft Word document that was automatically generated by a third-party reporting tool, which embeds an AutoOpen macro for formatting purposes.
Filter/Exclusion: Exclude files generated by the Report Generator v2.1 tool or files with a specific report_ prefix in the filename.
Scenario: An IT department uses Microsoft Outlook to send a macro-enabled .docm file to users for a company-wide training session, where the AutoOpen macro is used to launch a training module.
Filter/Exclusion: Exclude files sent by the IT Training Distribution System or files with a training_ prefix in the filename.