AN0035: Analytic 0035
Execution of Wine or LibreOffice macros with inconsistent VBA metadata. Defender perspective: file analysis showing p-code embedded without matching source streams.
Analyst context for executives and security teams
This analytic matters because it points to suspicious macro execution on Linux through Wine or LibreOffice where the document’s VBA metadata does not line up: p-code is present without matching source streams. For leaders, the value is not that every macro is malicious, but that Linux endpoints and file-analysis pipelines can become a blind spot if macro inspection is focused only on Windows and Microsoft Office.
Executive priority
Prioritize this as a coverage-validation issue for SOC, incident response, and compliance evidence: can the organization inspect potentially macro-enabled documents used on Linux, and can it explain whether Wine or LibreOffice execution is monitored? The business decision is whether Linux workstations, servers, or analyst/admin environments are included in document-borne malware controls and file-analysis workflows, rather than assumed out of scope.
Technical view
Validate whether file analysis can identify VBA p-code embedded without corresponding source streams in documents opened or executed through Wine or LibreOffice on Linux. Because ATT&CK provides no separate detection logic or relationship context for this analytic, teams should treat it as a hypothesis to operationalize: correlate static document findings with Linux process execution for Wine or LibreOffice where available, then triage based on document origin, user context, and whether the file was opened, quarantined, or transmitted.
Likely telemetry
- Static file-analysis results for macro-enabled documents, including VBA streams and p-code/source stream consistency
- Linux process execution telemetry for Wine and LibreOffice
- File metadata and hashes for documents delivered by email, web download, file share, or removable media where collected
- Endpoint or gateway security alerts related to document analysis or macro content
- Case-management or SIEM records linking suspicious files to users, hosts, and execution attempts
Detection direction
- Confirm that document-analysis tooling inspects VBA metadata and can flag p-code without matching source streams, not just obvious macro presence.
- Validate that Linux endpoints are in scope for process execution logging involving Wine and LibreOffice.
- Tune triage to reduce false positives by considering trusted internal documents, known business workflows using LibreOffice, and whether execution actually occurred.
- Look for blind spots where email gateways, sandboxes, or EDR policies only evaluate Microsoft Office behavior on Windows.
- Use the analytic as a file-analysis signal that should be enriched with local telemetry; the supplied ATT&CK object does not provide a complete detection rule.
Mitigation priorities
- Inventory where Wine and LibreOffice are used on Linux systems and whether those systems handle external documents.
- Ensure file-analysis controls cover macro-enabled documents and VBA metadata inconsistencies before relying on endpoint alerts alone.
- Apply least-privilege and document-handling controls for users and systems that process untrusted files.
- Include Linux document-execution scenarios in incident response playbooks and detection validation exercises.
- Preserve suspicious files and associated host telemetry for analysis when this condition is observed.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique. Its strongest defensive use is as a validation prompt for static document analysis and Linux endpoint visibility around Wine or LibreOffice. No tactic, relationship, alias, or explicit detection logic was supplied, so local environment context is required to convert it into a production detection.
The supplied object is sparse: official detection is not provided, tactics are not specified, and no relationships are supplied. This take does not infer exploitation, attribution, impact, affected non-Linux platforms, or guaranteed detection coverage.
Analytic 0035
Execution of Wine or LibreOffice macros with inconsistent VBA metadata. Defender perspective: file analysis showing p-code embedded without matching source streams.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f071bd23e89c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.