CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-macro-malware-in-office-documents

Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with executable commands and a clear step sequence, but it suffers from redundancy with its own bundle files and lacks explicit validation checkpoints for risky malware-analysis operations. Progressive disclosure is undermined by inline duplication of content that already lives in agent.py and api-reference.md.

Suggestions

Replace the inline deobfuscate_vba function and Key VBA Elements box with one-level-deep links to scripts/agent.py and references/api-reference.md (e.g., 'For programmatic deobfuscation, see scripts/agent.py') to cut duplication and tighten conciseness.

Add explicit validation checkpoints to the workflow — e.g., before Step 1, confirm the environment is an isolated VM without Office installed and that no document is opened in a live Office instance — so workflow_clarity can reach 3.

Trim or remove the Key Concepts table entries that re-explain OLE/DDE/VBA fundamentals Claude already knows, retaining only analyst-relevant pointers.

DimensionReasoningScore

Conciseness

Mostly efficient, but the body duplicates content available in bundle files — the inline deobfuscate_vba function mirrors scripts/agent.py and the 'Key VBA Elements' box reprises tables in references/api-reference.md — and the Key Concepts table re-explains OLE/DDE/VBA basics Claude already knows.

2 / 3

Actionability

Provides concrete, executable bash and python commands throughout (olevba, oledump, xlmdeobfuscator), a complete working deobfuscate_vba function, and a bundled agent.py — copy-paste ready guidance.

3 / 3

Workflow Clarity

A clear 6-step sequence exists, but malware analysis is a risky operation with no explicit validation/verification checkpoints (e.g., confirm isolated VM, validate sandbox isolation, verify no accidental execution) — the rubric caps workflow clarity at 2 when validation steps are missing for destructive or risky operations.

2 / 3

Progressive Disclosure

Bundle files exist (scripts/agent.py, references/api-reference.md) but are not signposted inline in the body, and content that belongs in those files (deobfuscation code, tool reference tables) is reproduced inline rather than linked one level deep.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that names concrete capabilities, the tools used, and an explicit activation clause with natural trigger terms. It cleanly answers both what the skill does and when to invoke it.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'identify download cradles, payload execution, persistence mechanisms, and anti-analysis techniques' and 'extract the attack chain' — plus named tools (olevba, oledump), matching the score-3 anchor of multiple specific concrete actions.

3 / 3

Completeness

Clearly answers both what ('Analyzes malicious VBA macros...') and when ('Activates for requests involving...') with an explicit trigger clause, matching the score-3 anchor.

3 / 3

Trigger Term Quality

Natural user-facing terms appear explicitly — 'Office macro analysis, VBA malware investigation, maldoc analysis, or document-based threat examination' — giving good coverage of phrasings a user would actually say.

3 / 3

Distinctiveness Conflict Risk

Scoped to malicious VBA macros in Office documents with distinct, niche-specific triggers unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.