How To Check Office Files for Macros Using Java

The Microsoft OpenXML files we use on a day-to-day basis are conveniently designed to be accessed and manipulated programmatically. We can jump into any OpenXML file structure in a variety of capacities (usually via specialized programming libraries or APIs) to easily manipulate objects within a document and/or retrieve important contents from its various sections.  

The flexibility afforded by Office document formats is, to an even greater extent, facilitated by macros. Using the Visual Basic for Applications (VBA) programming language - a specially designed version of the Visual Basic (VB) language - we can add a myriad of dynamic elements to our Office documents and allow our files to seamlessly connect with other applications in our system.

We can automate away our Excel spreadsheets’ most repetitive calculations, and we can ask toolbars within our DOCX files to update external applications based on information entered in form fields. We can create macros in our PowerPoint PPTX presentations that insert slides from one file into another, and we can even automate PPTX file conversions to formats like PDF, PNG, JPG, etc. to save us valuable time in our workflow. The list of macro-enabled benefits is virtually endless.

Of course, macros are far from purely beneficial blocks of code. The fact that VBA has the power to execute code means VBA macros will always pose a considerable security threat to our system. Since their conception in the 90s, macros have served as an effective vessel for cybercriminals to deliver viruses and malware to machines all around the globe. Attackers can use VBA to trigger arbitrary commands and run programs on our devices, and they can even use it to delete valuable data from our hard drives. Some of the earliest examples of rapidly proliferating computer virus infections leveraged VBA macros to compromise victims’ devices, hijack their email contact lists, and target those new contacts with the original malware. In more recent years, macro-enabled files have even proved an efficient method for delivering ransomware to sensitive file storage locations with weak security policies.

The threat of macros is significant enough that Office now disables them by default when macro-enabled files are downloaded from the internet. Downloading a file containing a macro will automatically bring up a “Security Risk” notification, meaning we’ll have to enable macros manually via document settings and accept the associated malware risks on our own terms.  

The trouble is, of course, that macros aren’t always downloaded directly from sketchy internet sources.  It’s common to encounter malicious macros as innocuous file attachments in our email inboxes (oftentimes sent from compromised devices we once trusted), and we might also find them scattered within our web applications’ various cloud storage instances when we allow direct client-side uploads through web portals. More and more, macro threats are delivered latently, bypassing weakly configured security policies and lying dormant until their contents are unwittingly executed.

As a result, it’s extremely important that we implement our own methods for identifying and mitigating macro threats. There are a variety of solutions we can utilize to accomplish this, including a few simplistic low-code APIs provided further down the page.

Demonstration

We can easily determine if Excel XSLX, Word DOCX, and PowerPoint PPTX files contain macros using the ready-to-run Java code examples provided below.  These three separate API solutions make it straightforward to incorporate macro checks into our relevant web application workflows, returning simple Boolean responses when macros are identified.  

To be clear, these solutions offer an efficient method for definitively identifying the existence of macros, but they do not take any additional action on the document in question, nor do they determine if the macros identified are malicious. As such, they are best utilized as a precursor to downstream actions that either store or delete documents outright.

Before we structure our API calls with code examples, we’ll first need to install our SDK.  We can begin installing with Maven by first adding a reference to the repository in pom.xml:

<repositories>
    <repository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </repository>
</repositories>

And we can finish that process by adding a reference to the dependency in pom.xml:

<dependencies>
 <dependency>
    <groupId>com.github.Cloudmersive</groupId>
    <artifactId>Cloudmersive.APIClient.Java</artifactId>
    <version>v4.25</version>
 </dependency>
 </dependencies>

We can now copy the code examples below for any (or all) of our three API solutions.

We can use the following code to check if Excel XLSX files contain macros:

// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.EditDocumentApi;

ApiClient defaultClient = Configuration.getDefaultApiClient();

// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");

EditDocumentApi apiInstance = new EditDocumentApi();
File inputFile = new File("/path/to/inputfile"); // File | Input file to perform the operation on.
try {
    GetMacrosResponse result = apiInstance.editDocumentXlsxGetMacroInformation(inputFile);
    System.out.println(result);
} catch (ApiException e) {
    System.err.println("Exception when calling EditDocumentApi#editDocumentXlsxGetMacroInformation");
    e.printStackTrace();
}

We can use the following to check Word DOCX/DOCM files:

// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.EditDocumentApi;

ApiClient defaultClient = Configuration.getDefaultApiClient();

// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");

EditDocumentApi apiInstance = new EditDocumentApi();
File inputFile = new File("/path/to/inputfile"); // File | Input file to perform the operation on.
try {
    GetMacrosResponse result = apiInstance.editDocumentDocxGetMacroInformation(inputFile);
    System.out.println(result);
} catch (ApiException e) {
    System.err.println("Exception when calling EditDocumentApi#editDocumentDocxGetMacroInformation");
    e.printStackTrace();
}

And, finally, we can use the following code to check PowerPoint PPTX/PPTM files:

// Import classes:
//import com.cloudmersive.client.invoker.ApiClient;
//import com.cloudmersive.client.invoker.ApiException;
//import com.cloudmersive.client.invoker.Configuration;
//import com.cloudmersive.client.invoker.auth.*;
//import com.cloudmersive.client.EditDocumentApi;

ApiClient defaultClient = Configuration.getDefaultApiClient();

// Configure API key authorization: Apikey
ApiKeyAuth Apikey = (ApiKeyAuth) defaultClient.getAuthentication("Apikey");
Apikey.setApiKey("YOUR API KEY");
// Uncomment the following line to set a prefix for the API key, e.g. "Token" (defaults to null)
//Apikey.setApiKeyPrefix("Token");

EditDocumentApi apiInstance = new EditDocumentApi();
File inputFile = new File("/path/to/inputfile"); // File | Input file to perform the operation on.
try {
    GetMacrosResponse result = apiInstance.editDocumentPptxGetMacroInformation(inputFile);
    System.out.println(result);
} catch (ApiException e) {
    System.err.println("Exception when calling EditDocumentApi#editDocumentPptxGetMacroInformation");
    e.printStackTrace();
}

Each of these solutions will return a “ContainsVbaMacros” Boolean response containing a “true” or “false” value.  We can authorize our requests for any of these solutions using a free Cloudmersive API key.