analyzing-macro-malware-in-office-documents
Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination.
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specific niche (malicious VBA macro analysis in Office documents), lists concrete capabilities and tools, and provides explicit activation triggers. It uses proper third-person voice throughout and includes both domain-specific terminology and natural language terms that security analysts would use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing malicious VBA macros, identifying download cradles, payload execution, persistence mechanisms, anti-analysis techniques, extracting attack chains. Also names specific tools (olevba, oledump, VBA deobfuscation). | 3 / 3 |
Completeness | Clearly answers both what (analyzes malicious VBA macros, identifies download cradles/payload execution/persistence/anti-analysis, uses specific tools to extract attack chain) and when ('Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would say: 'Office macro analysis', 'VBA malware', 'maldoc analysis', 'document-based threat', 'Microsoft Office documents', 'Word, Excel, PowerPoint'. These are terms security analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining malware analysis with Office/VBA specificity. Unlikely to conflict with general document processing skills or general security skills due to the very specific domain of malicious macro analysis. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with executable commands and scripts throughout a well-sequenced workflow. Its main weaknesses are verbosity—particularly the Key Concepts and Tools sections that explain things Claude already knows—and the monolithic structure that could benefit from splitting reference material into separate files. The deobfuscation script, scenario walkthrough, and output format template are excellent additions that make this immediately usable.
Suggestions
Remove or drastically condense the 'Key Concepts' table—Claude already knows what VBA, OLE, DDE, and Protected View are. Keep only non-obvious definitions if any.
Remove the 'Tools & Systems' section since each tool is already introduced with context in the workflow steps where it's used.
Consider extracting the deobfuscation Python script and the 'Suspicious Functions' reference list into separate bundle files, referenced from the main SKILL.md to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes unnecessary sections like 'Key Concepts' that define terms Claude already knows (VBA, OLE, DDE, Protected View). The 'Tools & Systems' section also restates information already evident from usage in the workflow. The workflow steps themselves are reasonably efficient, but the overall document could be trimmed by ~30% without losing actionable content. | 2 / 3 |
Actionability | The skill provides fully executable commands (olevba, oledump.py, inline Python scripts) with concrete examples at every step. The deobfuscation Python script is complete and runnable, the bash commands are copy-paste ready, and the workflow covers the full analysis chain from triage to report generation with specific tool invocations and flags. | 3 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced from initial triage through extraction, deobfuscation, XLM analysis, non-macro vector checks, and reporting. Each step builds logically on the previous one. The scenario section includes a pitfalls list that serves as implicit validation checkpoints, and the triage step explicitly checks for macro presence before proceeding to extraction. | 3 / 3 |
Progressive Disclosure | The content is a monolithic document with no references to supporting files despite being over 200 lines. The Key Concepts table, Tools & Systems section, and detailed deobfuscation script could be split into separate reference files. However, the document is well-organized with clear section headers, making navigation reasonable within the single file. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.