How can I find out what a macro does without exposing myself to it?

I have been given two different Microsoft Word document that my virus scanner has warned me contains macros.

These should be simple text files, and the person who sent them doesn't even know what a macro is; they may be a mistake on his part, but they might be signs of a malicious infection.

My installation of is set not to load macros at all, as I rarely use them, so I am not concerned about the security of my system.

What I would like to be able to do is find out what those macros do without exposing my system to any malicious intent from those macros, in order to tell the person who sent me the documents whether or not he is spreading an infection.

  • Hello Alvin Howell,

    find out what those macros do
    malicious macros naturally try to hide (by obfuscation or encryption) their intent, they might even protect themselves against more or less simple analysis (e.g. that it's running on a VM, or a machine disconnected from the network). Thus it's normally, for the average user or admin, not feasible to determine the actual intent of such macros.

    If you want to know whether it's actually malicious submit a sample to Sophos. 


  • QC is right, much of the malware or macro's or viruses may check to see if the right conditions are there before they will execute.  I would send it off to Sophos to have it tested.  Even if you could create a test environment you would also have to understand macro's very well to even fully understand what they are doing as well.  I have read of macro's looking legit to hide their true intent as well.

  • In reply to Badrobot:

    I also see this is under server protection?  Unless absolutely necessary for some type of in house automation Office products should not be installed on a server.