Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0034: Analytic 0034

Discrepancies between VBA source code and p-code inside Office documents. Defender perspective: anomalies in file metadata streams, execution of Office processes loading macros without source code consistency, and script execution with no corresponding source metadata.

EnterpriseAN0034AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic focuses on a niche but important document-risk signal: Office files where VBA macro source code does not align with compiled p-code. For leaders, the value is not simply “macro detection,” but assurance that document inspection, email security, EDR, and SOC workflows can catch malformed or deceptive macro artifacts that may evade simpler source-code review.

Executive priority

Prioritize this where Windows endpoints and Office document workflows remain business-critical, especially in finance, legal, operations, or other teams that routinely exchange macro-enabled files. The key business question is whether security controls can produce defensible evidence about suspicious Office document internals, not just whether macros are generally blocked or allowed. This can support incident triage, compliance evidence for document-handling controls, and budget decisions around endpoint, email, and file-analysis capability.

Technical view

SOC and detection teams should validate whether they can inspect Office document metadata streams and identify discrepancies between VBA source and p-code. Because ATT&CK provides no tactic mapping, no detection logic, and no relationship context for this analytic, teams should treat it as a file-analysis and endpoint-telemetry validation item rather than a complete detection rule. On Windows, useful context includes Office process activity involving macro-enabled documents, macro execution where source metadata is absent or inconsistent, and downstream script or child-process behavior that helps determine whether the file is suspicious or benign.

Likely telemetry

  • Office document file metadata and internal streams, including VBA source and p-code-related artifacts
  • Email gateway, file sandbox, or document-analysis results for macro-enabled Office files
  • Windows endpoint telemetry for Office process execution
  • Process lineage showing Office applications loading macros or spawning scripting/interpreter processes
  • File creation, download, quarantine, and user-open events for macro-enabled documents

Detection direction

  • Confirm whether current tooling can parse Office document internals deeply enough to compare VBA source code and p-code indicators.
  • Correlate document-internal anomalies with Windows Office process execution to reduce reliance on static file findings alone.
  • Tune for legitimate macro-enabled business documents to reduce false positives, especially in departments that maintain complex Office automation.
  • Look for script execution or child-process activity where corresponding macro source metadata is missing or inconsistent, as described by the official analytic perspective.
  • Document blind spots where email security, EDR, or file-analysis tools do not expose VBA/p-code consistency evidence to the SOC.

Mitigation priorities

  • Inventory where macro-enabled Office documents are permitted and which business processes require them.
  • Apply least-privilege and macro governance controls appropriate to the organization’s Windows Office environment.
  • Route externally sourced or untrusted macro-enabled documents through inspection workflows capable of analyzing Office metadata streams, not only filename or extension.
  • Ensure incident response playbooks preserve suspicious documents and endpoint context so analysts can validate source/p-code discrepancies.
  • Use the analytic as a control-validation requirement for managed detection, email security, endpoint security, or document-analysis services.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not an ATT&CK technique. It names Windows as the platform and describes discrepancies between VBA source code and p-code inside Office documents, but it does not provide a detection query, tactic, technique relationship, adversary relationship, or mitigation mapping. Treat this as guidance for validating telemetry and analytic capability around suspicious macro document internals.

Official detection content is not provided, and no relationship context is supplied. This take cannot infer specific ATT&CK tactics, active exploitation, actor usage, impact, or guaranteed coverage. Local evidence is required to determine whether the organization collects Office document internals, endpoint process telemetry, and file-analysis results at sufficient fidelity.

Official MITRE ATT&CK definition

Analytic 0034

Discrepancies between VBA source code and p-code inside Office documents. Defender perspective: anomalies in file metadata streams, execution of Office processes loading macros without source code consistency, and script execution with no corresponding source metadata.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
df3c9fd281718038...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle df3c9fd28171…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0034
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use