1 minute read

We can modify VBA Macro notification settings from the Registry by creating VBAWarnings DWORD under HKEY_CURRENT_USER\software\policies\microsoft\office\{ms_office_version}\{application}\security .

Possible values for VBAWarnings :

Value 1: Enable All Macros

Value 2: Disable All macros with notification

Value 3: Disable all macros except those digitally signed

Value 4: Disable all without notification

When opening a document with a macro, MS Office application ( winword.exe , etc) tries to access VBAWarnings value:

All online sandbox services I’ve tested use the feature to enable all macros without any notification (value 1), although normal users usually don’t have the feature enabled.

Any.Run

Hybrid-Analysis

whoami: @_qaz_qaz