From 18d0ac2148d76aaf1dfe659c1a11cf74021ebae9 Mon Sep 17 00:00:00 2001
From: Felix Bauer <jack@ai4me.de>
Date: Tue, 20 Aug 2019 10:47:36 +0200
Subject: [PATCH] Add an additional static test to the ruleset to check for
 office macros with suspicious keywords (#87)

The new rule is deactivated by default, it uses oletools to check SUSPICIOUSKEYWORDS
in the macro code of office documents.

Ole is now an analyser module much like Cuckoo inside the toolbox.
All logic has been moved there. Sample is merely there for caching.
Evaluation of Rules uses the toolbox and report back.

Regex based matching of MS office files for configurable keywords.
Also detection of macros has been improved.

Tests for correct handling of none office file extension
Tests for correct handling of empty file with correct extension
Tests for correct detection of office file with suspicious macro
Tests for correct pass of blank office document
Tests for correct handling of empty word doc.
Tests for correct non detection of Excel file with macro.
---
 peekaboo/config.py                         |  13 ++-
 peekaboo/locale/de/LC_MESSAGES/peekaboo.mo | Bin 4074 -> 4392 bytes
 peekaboo/locale/de/LC_MESSAGES/peekaboo.po |  73 ++++++++-----
 peekaboo/locale/peekaboo.pot               |  66 +++++++-----
 peekaboo/ruleset/engine.py                 |   9 +-
 peekaboo/ruleset/rules.py                  |  61 ++++++++++-
 peekaboo/sample.py                         |  20 ++--
 peekaboo/toolbox/ms_office.py              |  61 -----------
 peekaboo/toolbox/ole.py                    | 120 +++++++++++++++++++++
 ruleset.conf.sample                        |  19 ++--
 tests/test-data/office/blank.doc           | Bin 0 -> 22528 bytes
 tests/test-data/office/empty.doc           |   0
 tests/test-data/office/legitmacro.xls      | Bin 0 -> 35840 bytes
 tests/test-data/office/suspiciousMacro.doc | Bin 0 -> 28672 bytes
 test.py => tests/test.py                   |  56 +++++++++-
 15 files changed, 355 insertions(+), 143 deletions(-)
 delete mode 100644 peekaboo/toolbox/ms_office.py
 create mode 100644 peekaboo/toolbox/ole.py
 create mode 100644 tests/test-data/office/blank.doc
 create mode 100644 tests/test-data/office/empty.doc
 create mode 100644 tests/test-data/office/legitmacro.xls
 create mode 100644 tests/test-data/office/suspiciousMacro.doc
 rename test.py => tests/test.py (93%)

diff --git a/peekaboo/config.py b/peekaboo/config.py
index 5c182bb5..af5b81f9 100644
--- a/peekaboo/config.py
+++ b/peekaboo/config.py
@@ -41,6 +41,7 @@ class PeekabooConfigParser( # pylint: disable=too-many-ancestors
     exist or cannot be opened. """
     LOG_LEVEL = object()
     RELIST = object()
+    IRELIST = object()
 
     def __init__(self, config_file):
         # super() does not work here because ConfigParser uses old-style
@@ -114,7 +115,14 @@ def getlist(self, section, option, raw=False, vars=None, fallback=None):
         self.lists[section][option] = value
         return value
 
-    def getrelist(self, section, option, raw=False, vars=None, fallback=None):
+    def getirelist(self, section, option, raw=False, vars=None, fallback=None, flags=None):
+        """ Special getter for lists of regular expressions that are compiled to match
+        case insesitive (IGNORECASE). Returns the compiled expression objects in a
+        list ready for matching and searching.
+        """
+        return self.getrelist(section, option, raw=raw, vars=vars, fallback=fallback, flags=re.IGNORECASE)
+
+    def getrelist(self, section, option, raw=False, vars=None, fallback=None, flags=0):
         """ Special getter for lists of regular expressions. Returns the
         compiled expression objects in a list ready for matching and searching.
         """
@@ -137,7 +145,7 @@ def getrelist(self, section, option, raw=False, vars=None, fallback=None):
         compiled_res = []
         for regex in strlist:
             try:
-                compiled_res.append(re.compile(regex))
+                compiled_res.append(re.compile(regex, flags))
             except (ValueError, TypeError) as error:
                 raise PeekabooConfigException(
                     'Failed to compile regular expression "%s" (section %s, '
@@ -203,6 +211,7 @@ def get_by_type(self, section, option, fallback=None, option_type=None):
             # these only work when given explicitly as option_type
             self.LOG_LEVEL: self.get_log_level,
             self.RELIST: self.getrelist,
+            self.IRELIST: self.getirelist,
         }
 
         return getter[option_type](section, option, fallback=fallback)
diff --git a/peekaboo/locale/de/LC_MESSAGES/peekaboo.mo b/peekaboo/locale/de/LC_MESSAGES/peekaboo.mo
index c89b24bd31567c0a4424e046d87a89f80374a0ee..af5a9622f24acfd5037490e697db779bf5e62acc 100644
GIT binary patch
delta 1012
zcmaLUUr19?9KiA4rZ!vCsYPjN9yLwbjA@!CCYB?72_q|d=w)tq?zX&>yA6>7pQC)~
zl3^555J}R5EU<?n!l(YwL-Zm+VGuzNJp}cZ^gTI>5V~;roIk(wJLmk)m)iOIsrMCy
z*MzT`zncH7OZWbMH{Bu~bZ_A>zQH<dDiGO?gLn`}aTngkJ@^D$@FVItU*UTG0G7}n
z!~u~hIZdOFfg7k3te{@-9UE|4k;qQ$#!ei@8oY!-yoXiz7WMkCSc%?EBAitkP+zVI
zb)F&A7dnSK*k9&oY-M06Kk*WECB!3g6l$;)W2kR_6%XM<)Cc;8C$PC#qzx}1mzD>Z
zqne9&gudYw8OM2S!m2GIiv6XZhE5d0TD*>XaS8X~2h=w%^{tNwv6TKv3}Y0#aUOLA
zR<Ry`qRykJx57a@jAp*SfKy!zyrQ8?Q%F{Q^IF`Fy~r!bFt+2F{P<<mPj&}&{3_}S
zu3-Qx{31QrhsSXe_4o^H#2<JHtIH^;PHdNv9Pgqo%^K>rYb+OWp1EtC1$QzxQ1H%G
z5wTP%9yg<gilw62F~iE_%8Ty1omo$1wVFtn(S)+IR$4_ee*#o$+_0QQPp`A&3Du}f
zf;ls-!!|~J_RN-ax3-5=Tc~G$XCTy`n=bBmxw@R!n;+$J-cPPN(@^0^#xO~dQAxwJ
z)X@5Q!l~r%^EflU78U*{%*xuTF{VZ)Ge%mC+NtHa+=}nH+qvlX9#F?3Njs$`jPub1
yvm=H%rj}>oam%n&%&_yDMY8EpBfk7NVQ18YX~&!^{tjo_9}NC)`G!SL{efTo9=7HH

delta 856
zcmb8s-%FEG7{Kx8ebqL#<x)(W=FZBw%o*EQnk%JTNH>C3|3KP{io-X0^I~+dps1S!
z;Sk+qcY!w%^b$ouMMSX6yd2SGg+!O#Sl0KrL3G&*htKmoJ3Bv~vwm<hTKd#le^>Yt
zjBdsS%VdAQJGMxcbOq1jTWrUDbqq{m4D;B74vyeW?7~;rixuq0-)QFb*YE6ClCuOM
z3J&Jc!!dk@W`Q4g2wNLOA~=M{a2gNbZA{`r+>aY*{`U<#F}O>FGfNB)V=tO@CNV1|
zk$Hj+3TxPgPj`M0DWmDgHcntyKx7bS(A;<x%|V`E8owf!lSoj+r;9x}PQKA7av9s3
zs-3%qrgQhPkNw3bP*_2;;1)(P-CTW^X*^0^M04ZyTKzrlA^(nN@E0D(@!i!9T*CzU
zJv29dji<4K3cG20X_#P?z)V<1bK_MsCwzo-U*2H`%eDGXG*8sV?q>cuG@WyC0B>Lp
zALA5m*6Jr(MB?OgXx3Y4k-gGK@P>kUqc5mG*irq`UQFhfXBS;pd9&^nN1ar0FUOF7
zs$-+IvLCPeX!)vP&DL9ijJ_V!q3mFKSfxgCnW2GH%2$o2EGw%oHa-8pbvv6sTRIj>
rL?#vrj#}`PyHqHu_$4({yy|$W;4aPi^P#e>UxYjKgK$7^hmZULQp$Vf

diff --git a/peekaboo/locale/de/LC_MESSAGES/peekaboo.po b/peekaboo/locale/de/LC_MESSAGES/peekaboo.po
index d82f699e..77ab1270 100644
--- a/peekaboo/locale/de/LC_MESSAGES/peekaboo.po
+++ b/peekaboo/locale/de/LC_MESSAGES/peekaboo.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PeekabooAV 1.6.2\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2019-04-17 09:26+0000\n"
+"POT-Creation-Date: 2019-08-20 10:35+0200\n"
 "PO-Revision-Date: 2019-02-14 22:02+0000\n"
 "Last-Translator: Michael Weiser <michael.weiser@gmx.de>\n"
 "Language: de\n"
@@ -15,28 +15,28 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Generated-By: Babel 2.4.0\n"
+"Generated-By: Babel 2.7.0\n"
 
 #: peekaboo/queuing.py:382
 msgid "Sample initialization failed"
 msgstr "Initialisierung der zu analysierenden Datei fehlgeschlagen"
 
-#: peekaboo/sample.py:186
+#: peekaboo/sample.py:185
 #, python-format
 msgid "File \"%s\" %s is being analyzed"
 msgstr "Datei \"%s\" %s wird analysiert"
 
-#: peekaboo/sample.py:239
+#: peekaboo/sample.py:238
 #, python-format
 msgid "File \"%s\" is considered \"%s\""
 msgstr "Die Datei \"%s\" wird als \"%s\" betrachtet"
 
-#: peekaboo/sample.py:299
+#: peekaboo/sample.py:298
 #, python-format
 msgid "File \"%s\": %s"
 msgstr "Datei \"%s\": %s"
 
-#: peekaboo/sample.py:495
+#: peekaboo/sample.py:497
 #, python-format
 msgid "Sample %s successfully submitted to Cuckoo as job %d"
 msgstr "Erfolgreich an Cuckoo gegeben %s als Job %d"
@@ -100,55 +100,73 @@ msgstr "Ja"
 msgid "No"
 msgstr "Nein"
 
-#: peekaboo/ruleset/engine.py:118
+#: peekaboo/ruleset/engine.py:147
 msgid "Rule aborted with error"
 msgstr "Regel mit Fehler abgebrochen"
 
-#: peekaboo/ruleset/rules.py:133
+#: peekaboo/ruleset/rules.py:122
 msgid "File is not yet known to the system"
 msgstr "Datei ist dem System noch nicht bekannt"
 
-#: peekaboo/ruleset/rules.py:154
+#: peekaboo/ruleset/rules.py:143
 #, python-format
 msgid "Failure to determine sample file size: %s"
 msgstr "Ermittlung der Dateigröße fehlgeschlagen: %s"
 
-#: peekaboo/ruleset/rules.py:159
+#: peekaboo/ruleset/rules.py:148
 #, python-format
 msgid "File has more than %d bytes"
 msgstr "Datei hat mehr als %d bytes"
 
-#: peekaboo/ruleset/rules.py:165
+#: peekaboo/ruleset/rules.py:154
 #, python-format
 msgid "File is only %d bytes long"
-msgstr ""
+msgstr "Die Datei ist nur %d bytes groß"
 
-#: peekaboo/ruleset/rules.py:187
+#: peekaboo/ruleset/rules.py:176
 msgid "File type is on whitelist"
 msgstr "Dateityp ist auf Whitelist"
 
-#: peekaboo/ruleset/rules.py:191
+#: peekaboo/ruleset/rules.py:180
 msgid "File type is not on whitelist"
 msgstr "Dateityp ist nicht auf Whitelist"
 
-#: peekaboo/ruleset/rules.py:213
+#: peekaboo/ruleset/rules.py:202
 msgid "File type is on the list of types to analyze"
 msgstr "Dateityp ist auf der Liste der zu analysiserenden Typen"
 
-#: peekaboo/ruleset/rules.py:218
+#: peekaboo/ruleset/rules.py:207
 #, python-format
 msgid "File type is not on the list of types to analyse (%s)"
 msgstr "Dateityp ist nicht auf der Liste der zu analysierenden Typen (%s)"
 
-#: peekaboo/ruleset/rules.py:231
+#: peekaboo/ruleset/rules.py:223
+msgid "File is not an office document"
+msgstr "Die Datei ist kein Office Dokument"
+
+#: peekaboo/ruleset/rules.py:247
 msgid "The file contains an Office macro"
 msgstr "Die Datei beinhaltet ein Office-Makro"
 
-#: peekaboo/ruleset/rules.py:235
+#: peekaboo/ruleset/rules.py:251
 msgid "The file does not contain a recognizable Office macro"
 msgstr "Die Datei beinhaltet kein erkennbares Office-Makro"
 
-#: peekaboo/ruleset/rules.py:265 peekaboo/ruleset/rules.py:402
+#: peekaboo/ruleset/rules.py:272
+msgid "The file contains an Office macro which runs at document open"
+msgstr ""
+"Die Datei beinhaltet ein Office Makro welches beim Öffnen der Datei "
+"ausgeführt wird"
+
+#: peekaboo/ruleset/rules.py:277
+msgid ""
+"The file does not contain a recognizable Office macro that is run at "
+"document open"
+msgstr ""
+"Die Datei beinhaltet kein erkennbares Office Makro welches beim Öffnen "
+"ausgeführt wird"
+
+#: peekaboo/ruleset/rules.py:307 peekaboo/ruleset/rules.py:445
 msgid ""
 "Behavioral analysis by Cuckoo has produced an error and did not finish "
 "successfully"
@@ -156,40 +174,41 @@ msgstr ""
 "Die Verhaltensanalyse durch Cuckoo hat einen Fehler produziert und konnte"
 " nicht erfolgreich abgeschlossen werden"
 
-#: peekaboo/ruleset/rules.py:322
+#: peekaboo/ruleset/rules.py:365
 msgid "No signature suggesting malware detected"
 msgstr "Keine Signatur erkannt die auf Schadcode hindeutet"
 
-#: peekaboo/ruleset/rules.py:327
+#: peekaboo/ruleset/rules.py:370
 #, python-format
 msgid "The following signatures have been recognized: %s"
 msgstr "Folgende Signaturen wurden erkannt: %s"
 
-#: peekaboo/ruleset/rules.py:346
+#: peekaboo/ruleset/rules.py:389
 #, python-format
 msgid "Cuckoo score >= %s: %s"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:351
+#: peekaboo/ruleset/rules.py:394
 #, python-format
 msgid "Cuckoo score < %s: %s"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:375
+#: peekaboo/ruleset/rules.py:418
 #, python-format
 msgid "The file attempts to contact at least one domain on the blacklist (%s)"
 msgstr ""
 "Die Datei versucht mindestens eine Domain aus der Blacklist zu "
 "kontaktieren (%s)"
 
-#: peekaboo/ruleset/rules.py:381
+#: peekaboo/ruleset/rules.py:424
 msgid "File does not seem to attempt contact with domains on the blacklist"
 msgstr "Datei scheint keine Domains aus der Blacklist kontaktieren zu wollen"
 
-#: peekaboo/ruleset/rules.py:418
+#: peekaboo/ruleset/rules.py:461
 msgid "Behavioral analysis by Cuckoo completed successfully"
 msgstr "Die Verhaltensanalyse durch Cuckoo wurde erfolgreich abgeschlossen"
 
-#: peekaboo/ruleset/rules.py:435
+#: peekaboo/ruleset/rules.py:478
 msgid "File does not seem to exhibit recognizable malicious behaviour"
 msgstr "Datei scheint keine erkennbaren Schadroutinen zu starten"
+
diff --git a/peekaboo/locale/peekaboo.pot b/peekaboo/locale/peekaboo.pot
index 56b61130..085c4471 100644
--- a/peekaboo/locale/peekaboo.pot
+++ b/peekaboo/locale/peekaboo.pot
@@ -8,35 +8,35 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2019-04-17 09:26+0000\n"
+"POT-Creation-Date: 2019-08-20 10:35+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Generated-By: Babel 2.4.0\n"
+"Generated-By: Babel 2.7.0\n"
 
 #: peekaboo/queuing.py:382
 msgid "Sample initialization failed"
 msgstr ""
 
-#: peekaboo/sample.py:186
+#: peekaboo/sample.py:185
 #, python-format
 msgid "File \"%s\" %s is being analyzed"
 msgstr ""
 
-#: peekaboo/sample.py:239
+#: peekaboo/sample.py:238
 #, python-format
 msgid "File \"%s\" is considered \"%s\""
 msgstr ""
 
-#: peekaboo/sample.py:299
+#: peekaboo/sample.py:298
 #, python-format
 msgid "File \"%s\": %s"
 msgstr ""
 
-#: peekaboo/sample.py:495
+#: peekaboo/sample.py:497
 #, python-format
 msgid "Sample %s successfully submitted to Cuckoo as job %d"
 msgstr ""
@@ -99,93 +99,107 @@ msgstr ""
 msgid "No"
 msgstr ""
 
-#: peekaboo/ruleset/engine.py:118
+#: peekaboo/ruleset/engine.py:147
 msgid "Rule aborted with error"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:133
+#: peekaboo/ruleset/rules.py:122
 msgid "File is not yet known to the system"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:154
+#: peekaboo/ruleset/rules.py:143
 #, python-format
 msgid "Failure to determine sample file size: %s"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:159
+#: peekaboo/ruleset/rules.py:148
 #, python-format
 msgid "File has more than %d bytes"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:165
+#: peekaboo/ruleset/rules.py:154
 #, python-format
 msgid "File is only %d bytes long"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:187
+#: peekaboo/ruleset/rules.py:176
 msgid "File type is on whitelist"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:191
+#: peekaboo/ruleset/rules.py:180
 msgid "File type is not on whitelist"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:213
+#: peekaboo/ruleset/rules.py:202
 msgid "File type is on the list of types to analyze"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:218
+#: peekaboo/ruleset/rules.py:207
 #, python-format
 msgid "File type is not on the list of types to analyse (%s)"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:231
+#: peekaboo/ruleset/rules.py:223
+msgid "File is not an office document"
+msgstr ""
+
+#: peekaboo/ruleset/rules.py:247
 msgid "The file contains an Office macro"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:235
+#: peekaboo/ruleset/rules.py:251
 msgid "The file does not contain a recognizable Office macro"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:265 peekaboo/ruleset/rules.py:402
+#: peekaboo/ruleset/rules.py:272
+msgid "The file contains an Office macro which runs at document open"
+msgstr ""
+
+#: peekaboo/ruleset/rules.py:277
+msgid ""
+"The file does not contain a recognizable Office macro that is run at "
+"document open"
+msgstr ""
+
+#: peekaboo/ruleset/rules.py:307 peekaboo/ruleset/rules.py:445
 msgid ""
 "Behavioral analysis by Cuckoo has produced an error and did not finish "
 "successfully"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:322
+#: peekaboo/ruleset/rules.py:365
 msgid "No signature suggesting malware detected"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:327
+#: peekaboo/ruleset/rules.py:370
 #, python-format
 msgid "The following signatures have been recognized: %s"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:346
+#: peekaboo/ruleset/rules.py:389
 #, python-format
 msgid "Cuckoo score >= %s: %s"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:351
+#: peekaboo/ruleset/rules.py:394
 #, python-format
 msgid "Cuckoo score < %s: %s"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:375
+#: peekaboo/ruleset/rules.py:418
 #, python-format
 msgid "The file attempts to contact at least one domain on the blacklist (%s)"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:381
+#: peekaboo/ruleset/rules.py:424
 msgid "File does not seem to attempt contact with domains on the blacklist"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:418
+#: peekaboo/ruleset/rules.py:461
 msgid "Behavioral analysis by Cuckoo completed successfully"
 msgstr ""
 
-#: peekaboo/ruleset/rules.py:435
+#: peekaboo/ruleset/rules.py:478
 msgid "File does not seem to exhibit recognizable malicious behaviour"
 msgstr ""
 
diff --git a/peekaboo/ruleset/engine.py b/peekaboo/ruleset/engine.py
index 96af1c65..6e736f52 100644
--- a/peekaboo/ruleset/engine.py
+++ b/peekaboo/ruleset/engine.py
@@ -49,6 +49,7 @@ class RulesetEngine(object):
         CuckooEvilSigRule,
         CuckooScoreRule,
         OfficeMacroRule,
+        OfficeMacroWithSuspiciousKeyword,
         RequestsEvilDomainRule,
         CuckooAnalysisFailedRule,
         ContainsPeekabooYarRule,
@@ -127,7 +128,7 @@ def __exec_rule(self, sample, rule_class):
         rule wrapper for in/out logging and reporting
         """
         rule_name = rule_class.rule_name
-        logger.debug("Processing rule '%s' for %s" % (rule_name, sample))
+        logger.debug("Processing rule '%s' for %s", rule_name, sample)
 
         try:
             rule = rule_class(config=self.config, db_con=self.db_con)
@@ -138,8 +139,8 @@ def __exec_rule(self, sample, rule_class):
             raise
         # catch all other exceptions for this rule
         except Exception as e:
-            logger.warning("Unexpected error in '%s' for %s" % (rule_name,
-                                                                sample))
+            logger.warning("Unexpected error in '%s' for %s", rule_name,
+                           sample)
             logger.exception(e)
             # create "fake" RuleResult
             result = RuleResult("RulesetEngine", result=Result.failed,
@@ -147,5 +148,5 @@ def __exec_rule(self, sample, rule_class):
                                 further_analysis=False)
             sample.add_rule_result(result)
 
-        logger.info("Rule '%s' processed for %s" % (rule_name, sample))
+        logger.info("Rule '%s' processed for %s", rule_name, sample)
         return result
diff --git a/peekaboo/ruleset/rules.py b/peekaboo/ruleset/rules.py
index 797858a4..6635c0c8 100644
--- a/peekaboo/ruleset/rules.py
+++ b/peekaboo/ruleset/rules.py
@@ -31,6 +31,8 @@
 from peekaboo.ruleset import Result, RuleResult
 from peekaboo.exceptions import PeekabooAnalysisDeferred, \
         CuckooSubmitFailedException, PeekabooRulesetConfigError
+from peekaboo.toolbox.ole import Oletools, OletoolsReport, \
+        OleNotAnOfficeDocumentException
 
 
 logger = logging.getLogger(__name__)
@@ -207,13 +209,40 @@ def evaluate(self, sample):
                            False)
 
 
-class OfficeMacroRule(Rule):
+class OleRule(Rule):
+    """ A common base class for rules that evaluate the Ole report. """
+    def evaluate(self, sample):
+        """ Report the sample as bad if it contains a macro. """
+        if sample.oletools_report is None:
+            try:
+                ole = Oletools()
+                report = ole.get_report(sample)
+                sample.register_oletools_report(OletoolsReport(report))
+            except OleNotAnOfficeDocumentException:
+                return self.result(Result.unknown,
+                                   _("File is not an office document"),
+                                   True)
+            except Exception:
+                raise
+
+        return self.evaluate_report(sample.oletools_report)
+
+    def evaluate_report(self, report):
+        """ Evaluate an Ole report.
+
+        @param report: The Ole report.
+        @returns: RuleResult containing verdict.
+        """
+        raise NotImplementedError
+
+
+class OfficeMacroRule(OleRule):
     """ A rule checking the sample for Office macros. """
     rule_name = 'office_macro'
 
-    def evaluate(self, sample):
+    def evaluate_report(self, report):
         """ Report the sample as bad if it contains a macro. """
-        if sample.office_macros:
+        if report.has_office_macros():
             return self.result(Result.bad,
                                _("The file contains an Office macro"),
                                False)
@@ -224,6 +253,32 @@ def evaluate(self, sample):
                            True)
 
 
+class OfficeMacroWithSuspiciousKeyword(OleRule):
+    """ A rule checking the sample for Office macros. """
+    rule_name = 'office_macro_with_suspicious_keyword'
+
+    def get_config(self):
+        # get list of keywords from config file
+        self.suspicious_keyword_list = self.get_config_value(
+            'keyword', [], option_type=self.config.IRELIST)
+        if not self.suspicious_keyword_list:
+            raise PeekabooRulesetConfigError(
+                "Empty suspicious keyword list, check %s rule config." %
+                self.rule_name)
+
+    def evaluate_report(self, report):
+        if report.has_office_macros_with_suspicious_keyword(self.suspicious_keyword_list):
+            return self.result(Result.bad,
+                               _("The file contains an Office macro which "
+                                 "runs at document open"),
+                               False)
+
+        return self.result(Result.unknown,
+                           _("The file does not contain a recognizable "
+                             "Office macro that is run at document open"),
+                           True)
+
+
 class CuckooRule(Rule):
     """ A common base class for rules that evaluate the Cuckoo report. """
     def evaluate(self, sample):
diff --git a/peekaboo/sample.py b/peekaboo/sample.py
index 35c661da..d4c5a624 100644
--- a/peekaboo/sample.py
+++ b/peekaboo/sample.py
@@ -38,7 +38,6 @@
 from datetime import datetime
 from peekaboo.toolbox.files import guess_mime_type_from_file_contents, \
                                    guess_mime_type_from_filename
-from peekaboo.toolbox.ms_office import has_office_macros
 from peekaboo.ruleset import Result
 
 
@@ -91,6 +90,7 @@ def __init__(self, file_path, cuckoo=None, status_change=None,
         self.__submit_path = None
         self.__cuckoo_job_id = -1
         self.__cuckoo_report = None
+        self.__oletools_report = None
         self.__done = False
         self.__status_change = status_change
         self.__result = Result.unchecked
@@ -101,7 +101,6 @@ def __init__(self, file_path, cuckoo=None, status_change=None,
         self.__sha256sum = None
         self.__mimetypes = None
         self.__file_extension = None
-        self.__office_macros = None
         self.__base_dir = base_dir
         self.__job_hash = None
         self.__job_hash_regex = job_hash_regex
@@ -461,14 +460,6 @@ def mimetypes(self):
     def job_id(self):
         return self.__cuckoo_job_id
 
-    @property
-    def office_macros(self):
-        """ Determines if this sample contains any office macros. """
-        if not self.__office_macros:
-            self.__office_macros = has_office_macros(self.__path)
-
-        return self.__office_macros
-
     @property
     def file_size(self):
         """ Determine and cache sample file size
@@ -484,6 +475,11 @@ def cuckoo_report(self):
         """ Returns the cuckoo report """
         return self.__cuckoo_report
 
+    @property
+    def oletools_report(self):
+        """ Returns the oletools report """
+        return self.__oletools_report
+
     @property
     def submit_path(self):
         """ Returns the path to use for submission to Cuckoo """
@@ -506,6 +502,10 @@ def register_cuckoo_report(self, report):
         """ Records a Cuckoo report for later evaluation. """
         self.__cuckoo_report = report
 
+    def register_oletools_report(self, report):
+        """ Records a Oletools report for alter evaluation. """
+        self.__oletools_report = report
+
     def cleanup(self):
         """ Clean up after the sample has been analysed, removing a potentially
         created workdir. """
diff --git a/peekaboo/toolbox/ms_office.py b/peekaboo/toolbox/ms_office.py
deleted file mode 100644
index b5ab902d..00000000
--- a/peekaboo/toolbox/ms_office.py
+++ /dev/null
@@ -1,61 +0,0 @@
-###############################################################################
-#                                                                             #
-# Peekaboo Extended Email Attachment Behavior Observation Owl                 #
-#                                                                             #
-# toolbox/                                                                    #
-#         ms_office.py                                                        #
-###############################################################################
-#                                                                             #
-# Copyright (C) 2016-2019  science + computing ag                             #
-#                                                                             #
-# This program is free software: you can redistribute it and/or modify        #
-# it under the terms of the GNU General Public License as published by        #
-# the Free Software Foundation, either version 3 of the License, or (at       #
-# your option) any later version.                                             #
-#                                                                             #
-# This program is distributed in the hope that it will be useful, but         #
-# WITHOUT ANY WARRANTY; without even the implied warranty of                  #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU           #
-# General Public License for more details.                                    #
-#                                                                             #
-# You should have received a copy of the GNU General Public License           #
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
-#                                                                             #
-###############################################################################
-
-""" Tool functions for handling office macros. """
-
-import logging
-from oletools.olevba import VBA_Parser
-
-
-logger = logging.getLogger(__name__)
-
-MS_OFFICE_EXTENSIONS = [
-    ".doc", ".docm", ".dotm", ".docx",
-    ".ppt", ".pptm", ".pptx", ".potm", ".ppam", ".ppsm",
-    ".xls", ".xlsm", ".xlsx",
-]
-
-
-def has_office_macros(office_file):
-    """
-    Detects macros in Microsoft Office documents.
-
-    @param office_file: The MS Office document to check for macros.
-    @return: True if macros where found, otherwise False.
-             If VBA_Parser crashes it returns False too.
-    """
-    file_extension = office_file.split('.')[-1]
-    if file_extension not in MS_OFFICE_EXTENSIONS:
-        return False
-    try:
-        # VBA_Parser reports macros for office documents
-        vbaparser = VBA_Parser(office_file)
-        return vbaparser.detect_vba_macros()
-    except TypeError:
-        # The given file is not an office document.
-        return False
-    except Exception as error:
-        logger.exception(error)
-        return False
diff --git a/peekaboo/toolbox/ole.py b/peekaboo/toolbox/ole.py
new file mode 100644
index 00000000..e4a3ce04
--- /dev/null
+++ b/peekaboo/toolbox/ole.py
@@ -0,0 +1,120 @@
+###############################################################################
+#                                                                             #
+# Peekaboo Extended Email Attachment Behavior Observation Owl                 #
+#                                                                             #
+# toolbox/                                                                    #
+#         ole.py                                                           #
+###############################################################################
+#                                                                             #
+# Copyright (C) 2016-2019  science + computing ag                             #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or (at       #
+# your option) any later version.                                             #
+#                                                                             #
+# This program is distributed in the hope that it will be useful, but         #
+# WITHOUT ANY WARRANTY; without even the implied warranty of                  #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU           #
+# General Public License for more details.                                    #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+
+import logging
+import re
+from oletools.olevba import VBA_Parser
+
+logger = logging.getLogger(__name__)
+
+
+class OleNotAnOfficeDocumentException(Exception):
+    pass
+
+class Oletools(object):
+    """ Parent class, defines interface to Oletools. """
+    def __init__(self):
+        self.MS_OFFICE_EXTENSIONS = [
+            "doc", "docm", "dotm", "docx",
+            "ppt", "pptm", "pptx", "potm", "ppam", "ppsm",
+            "xls", "xlsm", "xlsx",
+        ]
+
+    def get_report(self, sample):
+        """ Return oletools report or create if not already cached. """
+        if sample.oletools_report != None:
+            return sample.oletools_report
+
+        report = {}
+        if sample.file_extension not in self.MS_OFFICE_EXTENSIONS:
+            raise OleNotAnOfficeDocumentException(sample.file_extension)
+
+        try:
+            vbaparser = VBA_Parser(sample.file_path)
+
+            # List from oletools/olevba.py#L553
+            oletype = ('OLE', 'OpenXML', 'FlatOPC_XML', 'Word2003_XML', 'MHTML', 'PPT')
+
+            # check if ole detects it as an office file
+            if vbaparser.type not in oletype:
+                raise OleNotAnOfficeDocumentException(sample.file_extension)
+
+            # VBA_Parser reports macros for office documents
+            report['has_macros'] = vbaparser.detect_vba_macros() or vbaparser.detect_xlm_macros()
+            try:
+                report['vba'] = vbaparser.reveal()
+            except TypeError:
+                # no macros
+                pass
+            vbaparser.close()
+        except IOError:
+            raise
+        except TypeError:
+            # The given file is not an office document.
+            pass
+        except Exception as error:
+            logger.exception(error)
+        sample.register_oletools_report(report)
+        return report
+
+
+class OletoolsReport(object):
+    """ Represents a custom Oletools report. """
+    def __init__(self, report):
+        self.report = report
+
+    def has_office_macros(self):
+        """
+        Detects macros in Microsoft Office documents.
+
+        @return: True if macros where found, otherwise False.
+                If VBA_Parser crashes it returns False too.
+        """
+        
+        try:
+            return self.report['has_macros']
+        except KeyError:
+            return False
+
+    def has_office_macros_with_suspicious_keyword(self, suspicious_keywords):
+        """
+        Detects macros with supplied suspicious keywords in Microsoft Office documents.
+
+        @param suspicious_keywords: List of suspicious keyword regexes.
+        @return: True if macros with keywords where found, otherwise False.
+                If VBA_Parser crashes it returns False too.
+        """
+        suspicious = False
+        try:
+            vba = self.report['vba']
+            for w in suspicious_keywords:
+                if re.search(w, vba):
+                    suspicious = True
+                    break
+        except KeyError:
+            return False
+
+        return suspicious
diff --git a/ruleset.conf.sample b/ruleset.conf.sample
index c8909a96..9a9ea739 100644
--- a/ruleset.conf.sample
+++ b/ruleset.conf.sample
@@ -9,13 +9,14 @@ rule.1  : known
 rule.2  : file_larger_than
 rule.3  : file_type_on_whitelist
 rule.4  : file_type_on_greylist
-rule.5  : cuckoo_evil_sig
-rule.6  : cuckoo_score
-rule.7  : office_macro
-#rule.8  : requests_evil_domain
-rule.9  : cuckoo_analysis_failed
-#rule.10 : contains_peekabooyar
-rule.11 : final_rule
+#rule.5  : office_macro
+#rule.6 : office_macro_with_suspicious_keyword
+rule.7  : cuckoo_evil_sig
+rule.8  : cuckoo_score
+#rule.9  : requests_evil_domain
+rule.10  : cuckoo_analysis_failed
+#rule.11 : contains_peekabooyar
+rule.12 : final_rule
 
 # rule specific configuration options
 # the section name equals the name of the rule
@@ -71,6 +72,10 @@ greylist.34 : application/vnd.ms-excel.template.macroEnabled.12
 greylist.35 : application/vnd.ms-excel
 greylist.36 : application/msword
 
+[office_macro_with_suspicious_keyword]
+keyword.1 : AutoOpen
+keyword.2 : AutoClose
+
 [cuckoo_evil_sig]
 signature.1  : A potential heapspray has been detected. .*
 signature.2  : A process attempted to delay the analysis task.
diff --git a/tests/test-data/office/blank.doc b/tests/test-data/office/blank.doc
new file mode 100644
index 0000000000000000000000000000000000000000..a7b04c5f51d22c6e1445b81a27d49a0f07648833
GIT binary patch
literal 22528
zcmeHP2|Sg{`=4_hOUjZiA?46fD$7B(%9d7&vgQgMTZD7uNV+X#NlIv=MG6(UDObzw
zT8gwu3ZbN;Rf<T9R674>4sS`^TlaVWzt8XY>pVW+_nCQS=9!si=6&CJ<{hW}+R%oS
z-(>HhK4gga&_~W7B+yGvg78=(E{@PR2xHkt4u^xqV*n83(SMNznhz8q5s^U@gxVy|
z;6X$r7+D}82mwTq>k`)`0f_;LT<I4VL5dWbD2kAHSFQ^No(q3Q9FEwh<blFOhTpjX
z8^P{4<~t<2!+*wqB8mgYgMg!ld&>34hd}x%NXMK=KPrV#AavziPr1L#)j$s!^wNQ2
z`W8-ue50iiItc}9Wf58faT_S#(-f@c6A^YG+V?4;CqT#t;#hBQBJ>fQC`aTW;@(gW
z7j5rpR9}ws2}62cJ$>WYKD~+1(_8i}VWM4srSI?RAE*s|^%3)J(e}|6E)%Lh-3)~M
zYL8v|mXifL;CUMYoDLk%KTJeE`w`von?2=;IFa6+`mbLJy@V!Wyl_3rASCQeaH4)9
zPH>|9K%B_emlN}m-~*K><oBUn-H$3l(m(H84-qHqOvDG`gjQl4`|`g^@0<UhiWB2C
zP`d|`6Yc$8K9D~AY!((l$QdT_B$)O5NCK{c@J8X$f4&7^;CS>STcBs1_u)sj!4KGX
z0Vywi{T6WFdd9!&2eiQt-etT(C21m!crVf<e{m%SlFweHM$NutqL3ZUuLu|&AI(pT
zXHt~15gML-jw}rr5`PXmH9YzsvA`$+F(d(xfnbst5`;Y;{D%+)KNipqK=NNe2R4ZQ
z3PCVq{t5%>Fod!LrTu@%GoZhOUhIew;eq(6Z^+ZPtQXvQvjBbN-y5fYgYCap=f5jI
z(RP0rUmVs1z{Ur<0MoAq@EGt0AOL=Z6krTM2QUL*2k-<00oDN$0R5E{2RYWO40YTD
zdp`mE9X(Q@=SMCV5B=8z+bsaR1qgvXr2%$;HGp`)K0r305Ks;X1vCKK0Qiw24xj?)
z0Am0z?cZmY{_bfiRBvg<hvot116*d2D1Ng9DNFzx5D0)QXc|I`UU103hkV*>5kl4|
z5HS!Fxx+O8uH8GG(#X_InyZNc9Bb>=gm;(wk{L3gwsTUD85+{#f{G&<WP)4~8*~Pu
zUy$lowXl&J@`C!jktetQ0JvgW0FsxSW55Yrba<;-AQt5H18u&@15uF;gj^xy%Z(!>
zhlb+^%)}Z2L=xun?GEsRgn`9mG#E6~kq`A1rwH%M^|X>MFc_JG7H{Z1);b45Y-ooE
z<R)|XkrA3_&PVwPzMSB9r~+!bD|QBNM9aaQFbue(DT^8C!3=b<S>f-&c2W!W^F6$|
z)S{R!KD}eshww+LW=T25LP||x7h^A`t}48=lO|PiGbi2leaD<io2eO8DPNUZt&Zf$
z4+0A01y2<3NJ=+5+CFsx?b(Q#P6z6BEo-yvqSwkwPhlJo+wm&*biT4~ROsyJT~-HH
zKK5TcC&wT*K0rQxf8{$pa;bLEn9#0J(XwUpZ%aRm-mLea#Pr4^zLVJ_7Z^N$)VYIp
zKmK^Gk&eY-GgG1PV})C)nln0Qlt@igyZp!4*J}GGM5mNFoVDqc$$sMOp<SV!ahKXY
zI7Xs4dq}j)wZ&8!)yHQhCr3Be)j0U(--*qMU8UoE#iEGw)1uc#PljE;65<#F7U6JU
z4t`;;12yT5g<vNgc+%i8a0&46Wvi><Yed|&CB^h1QLT{$;T5arR~Abv1*sp1H&stt
zjqWLjcqxvk8}Y2p@}huno>0X8){a94ACGM8ytl29Dzz(9p!mM2QK{FxAcHd@VI`6K
z)0KoAgZ<Z~t*krYl0UB^ZAzKOhy$}u(zi>9t*^Drw>mP_y`n_C(rkL&L|0l!`sSrB
zH{^FD%QWcBx&B(p>W1#3BXJoeoMXlGE6J8cAxBjnO{Xw*x6Sc>=$ewD{=m8*KEork
zYE=1&Q=K(k(3P({>a!w2DjYhv0U!qm^z!iYQ15k}%V07Vdj#MaGUUo!;bN+|@x9e4
z%j0Wx-SU*DyXKT0$$NuLlVnXU?yKBecjM86aNVo*KUMEG7jaNY5)|3sQKq*3_qJ6k
z=_4|3&5}E>;(PC+<m0Ab>5}7{hSkr$#Gb!;bai}W)`>gRniCVM6<Ss9IR8OgVz6<h
z{gdk*<L*y?Herk~S+D=b?=Sa@+yXm)#nkSv0lk{t-31NY>}H3ujU!4V&j_{~O<bM$
zx;iVas6Ey4+AXb<zqv;l)XX~YyxnGbbY^ADc~_yk)@o}D$2^RWEND@PP-#A^_Q%6G
zjhnRHMv6x>9q-s$l_bl^(HS%7fr)EctB>AY`TDMP^_^?ZW2*8B7m6pm`S5PfuGV{j
zSEXp1e))K;c7Npy1BLmy#@h~@YGh@%8Rd06bGb8prsjn~Z;TBkXJ#~Bv^o--X{!;%
zpgqr)w78e2^kC4Iw##Wx!_v&lcb6|ov-7bXHqENud_H-Jyn3R0Y}ZQ16K=w}*5j%Q
zliCkiZRq%I<ICKs>o-YTJ$ItsddXPFpO<tmv9d#1LgMt3PVKHn`_?;Isc8$>U*^kM
zcY7M=QNSOC_w!R4A67VMc#B7v{Oa=L1{&Y7^ue1`+DyrJ6H!@Xc4f@QtYdei1@vo>
zN1W)Lv^N<JzqhUX_;^&~nhZlJ=WxxgqETx!Wx^y?^94NK`isen=7w+1atYU5<s(*q
z<n>IGy2_&_8cI!_qjIHA?ka9sGWgP#3b(QOBLubvjkb4ArOIx2Vr8x3FkbBZ&tcAV
zLsBT&iZ=UcNtv*Eh1~t+>y`B%oSUpLf5_V3r;Zy&U+7ac=ERr}_Ir(uyyH?w#|-g4
zKX}Lb0)_Jzhp{c}avF_L)@jm;_b;!poH=hFzqVwZe)qKO*_lSRk8Q$j4YSeK&l6ie
zw(VuDdDitliWSoNF0QsJFPL$^zN=+<>&F+@Iu1oiCLRoapWa&E^|q_di1X1Ur0Z5n
z!L^E=gZ6Hw3~n8I`c-lcMe0dI+_kr_X`UL22d5crqL^*obv`9T#cgnxSGaOOgTT#`
z57?rIF7W4{S;H8bd|{PpwCRIlz28F9V=71wEGA5`Vas?XXI;N!pzpH#RJxGUsmG&I
ztJ>Rx3&P~g7mkn8IO%1WqP$)C?6`#Fcd>iinit#|9<d<EK#6^o;%L@7_`Znv(p~N|
zt{(Op9~nEFyr%Y)P}mvOx+KF6ftXx7gR{eRB;E+5ineRbQPsLT(<fRY@v@9rhIiXA
zn%nS_rghim-d-@PEihu-%L{{5BFrCaM7@@^2odtW(DKGQceXDr@!{<QFDV+HiZh#6
zNvF9#I%_docK6L|=k+6$+mq={VS6=KMrAB-<1-V>eXn1XkY|)6l5Db0d)#(X>S+gd
zlzOY1=lRw^(?p>>tGRo}+HGiI-;aqcnv^s3J;iN<S_RpywYE`IfbV3Euk)5Q;-+@`
z7mgJE6571LwsoA;&Ff`lYm%oZoE5Ge7kiUrn7(_@xnm~YVQ&@6;tHP~EW0@Gsf0b6
za_}X4*xU8S9fB|JPrU3#niSJunDKgc%wh7uyOEQfb#J%V+rE)*E*&nlX+pDke9?`B
zwda_Z^Ka;AP0Jc|IdrGO6U~K9QqxpA5*0H~E&1()HPf4Qt5T$Vq{Cdxsg+_u#*+&y
z-=2B4dS7wy`$U%9?v@9yCNt05<>Y#%vz2$swZ77g^3QWBi+{o2`D*vBp+Bcv(yKOi
z#Vo74e*4YDkDS$(Y%inwAkC<Eo9ZksM2S8)xwS;h-q2#KwT^oEjSRlH=6y5e-_ryw
zS0_YN9=bhmmEx<SxX^m7je~}a*I!)|z0tbRc1T?2l_H9i+WlFj!AT|c;xd+Q$HT6t
z<R0BNP0@bjAl7+`oNN;#of(<_?BO=moZ_p$IF0o6+-^&Ch`n*vRZcY1eI4^eDPR87
z0?!dm;WerxrIjNkF1YJN9}J(ia&kt@{<vjDUZN7ec*sXizfqK$R>g8Uagm%M>AY6{
z_NWhYT00p?kxFS?TArl7ZLg+1tKio?of-zKFYU0S7>5^Z3az~EbpCZid)3pNd3j;!
zsuD9!)zXf81cr}weJhhRGhMboc+<0YxsJJ2sp)f48pF%Sdmo?N>bBI{CHyv%x$n@<
zab8cI-h8mriiqEtW_!)$Y>LK|F%#C0Oj*NLkS*F%y0G21xSn?G@TvIGwEI^YCN;U&
zQWYfFaa;B`{`zP*D7dPy%dvno=-yVP8<EG`4{hd42UC|SC7WMwxv)Mb@QtvHVX5R*
z)`_=eMP^&FitbzwUfQ&$LOWyw_1xJYCmDYe%I%R=T0Uw*3)e|TAC5V*=j^t0r<Xcr
z7w753J{dn_#dM9WD+F#F%HNk(FFZn;)w!!^-@4iDQ-h@rk$q&VGY?L$zN9C2I9FcE
zDnV<Dr-N43;nd87lQ%kO`IZ*Os<P}Jir6_0Gquo~uqq*Uxixe7?q@;oB2vvliw3{f
z&wMT^9A=W0bS3qmbZa_e`>~hv^MZVbza=fPA15)RhUHiN{AO0h(5p?0+GcE*e;AY|
zwJxFVw3Xw}^@+QO*EKiu)8d8({^2t|GDvBmBby>pVbei#xD~3}ZuQuaFF9X(tO2L=
z=bK{dHu*0&wCwCsB`<*!W@DRmCv?$$Yc4VhbYv$wn=m#nwGum)_ioU_MdfqXxE;ON
z!ED*uGO}!szIo=H`pfp(OIQ22u=JQM1v_(-It<9O8%yonD*b{4v&??4-D?w8vCq0m
z)G_>WhPH3qm^8-CCJX1zyO9EdU61Krn<j6!TdjAPlC>+fzRB*ENm_;2t*)zjPtIJf
zlU}eQ!7#uvbcOcOl^p*5mLMV(@q16g(qjZHP{#IIf^@IDxbO8|3z436*j(YW^q(R+
z!j=oMSl4sKH;=iqzC5dnFXExLh>j6$eshb+5fve|D8}iX-g$|8N`|><-qrBRloguP
zw0-HWBEM73vBp+X7SXkn-Ln^k#j<o;Bo}WsSDrhDW~HpAu_Hiqtl8G2@(nhfp-1%6
z;_MzOrX4i7lvh5hW7+C`FLskwou?JJim$9jG70l`agKHA$wn_$mzQ$-INyX_8_BPn
zdf`gL=-rufD3={`bI;X7$GTTvB(f@eY9DA}4%vE9Kg;xa=3gr4yHfpJnhy5twQlWO
zu<y$6b3qwc5`VRn>Sg}En))uoK5MG!PZM`h)>lX0N$^=m5}f1c-I_m{67$UYVW$Ou
z{pCka(ECKZbVpN+U=c_S@(5sivzP{o8ftV!st41J<?hW~Y@ldsGecERk;)EaFx?rx
zET)Hn;tCJ8qLHD9@D#=*H{XD{41X#pV6rDM3>3Wr1N|qdtFzr;nap6TvHU%lkmkt>
z@M8o*G+?p1djMlODE9MJ*QC>R)cqLVOhu~eVhsaD-#`sTYG5#g+<hSAx>ys-G_edq
z?miG=xVeE-203~Hgap#NC7<$W5fUvT&qP8pk&tK;5^X}FLr8QKsb0R`OdseGW{Ol#
zmhY@?0TEJEH^kNhGs5019KizOo*L-+Rs*;4r}J4{qeB#2R@lGA)L)2@Qy>p^#xbyW
z`Uocg!CXQ33xM9ZTL^y^lH+^JmE#s*eVA~VV@wLg{4)_Tg5wl2u~UGB@%WU6G4244
z2_jo?oP7W+v>dKjiW@>ucP^Y8H>&#pSMM<H?#xl~po&Zu;Nz$8lldqdHPql3j0y+!
zDB)HFVH<GG{lGD2BPwhLctCwrWCiu&EdeH^Ydgo2$cUexL?#Iekomi<_vM+AP^{7#
zt$;GFP|_D-T58<d2MbWhm?)g_sKK<K+D*6{6?pRjA>HmWV*I!OUw0YK;jde4%H6E+
zhPv=32STQ5D!8X&e7(x8r2SR7?oElsuvLP$M@+h{Md1f)3E;ZPsDVR6Qz3~<d!YtQ
zxNh7_Tr&eKH5aadpaUUAm@Y4bLZwj~{`7N*oB#L8LFs~5f@b29c=CLvZgmvI2Lu0^
zdMfD=6!D`rJV(Bie$LGc{h0-#`J?%dqvL4p+5q~W<@<YSpGT8q0vcePgwO}P2QUB`
z&%+6WU*NNyGzg2sIszV6Ap?Q?Xo2UCX21Fr`q?TJhs_c0Bad4m7_Jxu?SrJQlY1q(
z?;8-_2H@6mIPmEFf+S&1d&3rD0NlxJ0NzBTB1_<&Tshv(vxO87$niaSzo_KDE%Ff_
zw8Ela4=<K9MDA_xwDc1Hb+ZtfF!oq2o^3IZFcdgWj|brCvIBtM68iyo{IUUfz{&ym
zfsKa*KV6>y@WcKC06(ndKnWfsW#IV4DE=mfPvY7D$J?!ofa8~+FK~Qv7@x`&2fhk8
z-bsxBj_b!$ZWM50?(_{yL)u(#w*VHK<rzq|^z`(0^Pt+YJpw@9H*aqpxGffVec`L-
z&I<J7=KU63cxq$4{pPi21-L_+F@PXr9C&J?OCMQH;)Z4SnBWtn*rw3MPj6u2O-yh|
z;t|gRJPYtFz_S3)0z3=wEWon>&jLIP@GQWy0M7#7WPv~P|H;*5)k$h2#J47b|F6<{
zgbo_950Cv~?3d!rLF||N1F*lp3V{9n2mszAhye@-Yy;r!nIr)A-}eKs|9%*N&)6OZ
zV1GX!fOVGu`t$1vzqfxb&aDHA4#-DA<+$A#+~aJx66~nsM%#D?diZi(ZEiA1c*L^+
z&jLIP@GQWy0M7zE3-Bz!vjEQmJPYtFz_Y;rj0Lc>i``)CQ{!*n*pJ8VF#cYTf7cCv
zr^nysvHy;JbL^+%Z}Qmh$G$xF^YJ%)?9cxMfFI@ImcxEO{{AfkfFH6#_(zQ703!id
zuRL%nKmni#7!9BSlmIxr3!vN+#&HZD{qq*U2jW=VgD}(KP+TA!eOUok|8|l>{3N1P
zcn%2+!m|mXLhcpK=w{tl>JlaHFJp~|XlPG@M$iA{;s4S5J0yz8-1_mn#qIbO9rz3i
z@#{(U(0lwJjMIR-p=I0ygV+w=O0rNtzJ~}Kd}}%G%>$YF;dmjg6(35(wx127;K^+h
zmIT7VBo_Cu;y`+pp?+*}eD8j1|G7UfhHqXV{;zueeeKcfvH$n<A8)x4{U^b}LwqFD
z9}Z%<q9r)xyGR0_UPRsB+J9UDKKt`e(ch{6pQ;<{`B&=4bC>sQ?QOvyD@=mX=YtnK
z?sea1Hx=f_=W}!T;2Kq5R~63IYpG6S`7HB;^YYxa!CY&cHjU-Ry{U0n4I<ohH9ho7
OKW8Z@;?aMk1^y2Pylq<m

literal 0
HcmV?d00001

diff --git a/tests/test-data/office/empty.doc b/tests/test-data/office/empty.doc
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/test-data/office/legitmacro.xls b/tests/test-data/office/legitmacro.xls
new file mode 100644
index 0000000000000000000000000000000000000000..cfb3caa886798cdb12f30ed821096443cd8afe55
GIT binary patch
literal 35840
zcmeHw2Ygh;_W$f=lPn=2g%EmJk^lixb~l@Xv~&U_BoK;7-6We3NP$fPp#(w)MVbl<
zC<r15f*6|gCMr#epi-ox@+_2xf{N__du~bYmNb3uSN^{@`#E>!o;!2SnKNhl+`DH^
zyI+6%!zMSFh3mrX*fUcd<{-h#5GLT98)K~ykOQ8XOeP-57=r(C|BE#6CuH?Q;n@Kc
z0DAzHxg$Ucr~_~U)CD*LTmba|t^k+-a|d_;>H|Ch4FFz%hJZ$Z#(*Y(rhsOE<^XR%
z3xEpH65s>y1&|%7;fDd*0Q>=M0qp?o0RezOKoB4ppaDbzw15zR4iE|m2N10Y_#FVx
z0XhOY0XhS^0J;LA05O1QKrDdL5d2?qeONwzg(!<SmIvR+#zPY|cV4g<QD4*+sFZYN
z>>zh#@w~@hS8Yh2?+|c7)|zgqpx_38yOE7zX`CFRcw{ZE9!xGH8x&=zNm7#V2^Bot
zFxDUC9|b>!^<l}Z2lNob`r<x@^#i6l=fh+&86r`Apn74;l|Jmj<y*|ZG!D;Qim6>#
zi56MRJJnrVPQ7yo$Nx;{VVp0GQ%8wf>|oDcNIvCw2(7sTD*X-kTNHH1*iFD-Hk#^n
zQg*sAzaT%eP?emSnVoJ>^(!zKRsSXz&B>sbkqif+;Lb87+9x|;W$X*!cFR1e?TO7c
z6d0n6X@=~=f?WOR(S{X>;f_{^(!n-xt<POQ;3)0ouATA3H07ksG^JAtwGq^-Jui>s
z;=RmWeYk5qTxD!0m*x_O(V*?RkN8TqkP02-9c3|0&vIBcEZB(a|C|`@*a*lNRxYWF
zg`_H$2zj&E2-JF#IskSY#`coRD#@3k+89@$uc~Q~_T0;5s!V&H)yC*lZHz9}#E_v6
zs4BPjkr!PxF{sa}+7e{wL96CM{cF`U<mgSSjv<3ZR>!4Ir8K-1A!x-LGMO*BSYQ0q
zsPZc2!`@f<pyM2jPS@5GZ$)Pe6`EC+Y!F&c1Iu7Tsvyu6<BaA~0zu$i6?e<$-iq$X
zIvU{$0WG6+WR*!`8Pi)a24jsdCL4wvw}S>Mh*s!>p7A=VI)+HY2l0I*`sCBoH4>dn
zAoErPV3331&al9CD&GKKU-huSj)Ns(!utgJ06Q!&a#*0ZVk%0hi!C87^TV^E;xiZ3
zc07tr@pyr|qIOtjS}L>-BQlJ^%7qS6o5{`J3Zi%IDhhv{8zVCIi%ErcKy(LHghyk=
z;~&)wPYo4E$0B}Zc%o`6{{PQ-8OpQV$$34~D1p<%HsOh4C8vLD{0Eib=T?GWRtbK2
zCHM`M;NPzVUzt2hDv7_b5`1O!D~tbOC3ODX^6cXH(u~Tyy!Kau-(CrRXC?TpmEigO
zTJz=Qp;0a;&#Uh42U;9x!4$myX#_0dm)2ccSH#<+dE@X;1bbt=9nwtFJU*{aPZ56}
z11r`A6Gc8g%`mz67WJKGryRcAo<+NAZ<8<0V$I`Ql=}*Icdxo$kYBXtIyULhjM$vc
zCQhF;d$uK~qliC`sRlOz=JQ3fY%V^J$K;vE)684Is~9V7WQDiT1IF=U{NV^<(#_Mc
zM|Z)|vCzLgT6<e~n$2@~3;Hz6;_$C#X7c5}Q#DEH$tF<-%3T*0-PU73i87FtnBggc
z9IFSO+)4wr^<1BTuB{%%9&+mh6s1-PsNJts0$TE@RRUTcsZ|1MQfrlfY^PQU$f#<S
zfC{Bn3CIj<m4NDFtrAd0s#OB2!L>?2O--#5P#agP1l0J|Dgnk$wM#&YV71~vt6sHA
zKuct`N<iywwMw8fOF;Ec+6c%>lu;I~1}zfVmA4v}3FJzlIiZTl&s%~(z>)|pCss?u
z)U|3Nw5C`s5p9S$5z9s}0z@hlW|bXl(P^cV=Sr;``a_dcVR8lXPY*u1_qnO^{L|8C
z1(6lZ!8Q@or&SSAn-dvOi6o{UR!AgSWKo>7i0jA|CrRD4>)1*pIr&C85l115Q>IKY
z`EV1aj+pTA+2(QlOr?$l*O7}CiFtKJJn-XOiPBOif8eD;b+s+j!-o&8gzDP0tCdhZ
z&Ri(MSqeosK_+O)QYc#Xt`O??l1kKVOQ?UHrYtKGt)*8Ol9f<mv6xC_<(jh287;u`
zIV1ZgXVawDu3cMBM6`i_ow_Y6ChZLH6_X4T<zj9F*14dqhl*TS4QIrPX)>L(%0*dO
znU&G-ICG;RoTbqa4xBk>J!GQ2k&0Z99hj-MMA^@xKGKGYqP%&v$_4423Q5|iNt;};
zK3cb1K1fy3TH?mKkSz&Y6QKcZ1raOhNXK@}kSUeUnh5PhRZHY#V%0=w<EmOBmW{t<
z?eR4uf*ad9p)q6SZ8;6XtChr%Sv3*bo2!<{$;7IO&_-UhM6@AQ6Y(=6f*ad9p<!|5
zI-v<mwUQVzt0sc!RrN$pCRR;^Ha4r3L>p2ykyd6zaAR91H1e-pCp1~ERuV&I)kJ9T
zwpt=56RReI`Fr(5v>{a!X>CRXH@0;`lbgzQ;%P>t()OfkBD9xX1D#Y&L{$?a+K{S=
zv@s)s8{0ae`CH{Wp+%l*vt!7tnh5RfS4-q%V%0=i)`W;QL`vipd3~Hgz+6qMR<%+E
zs-i|sFys|#7Auq4V$z-9WD0LnJsc8HGZl`ksIbhf!iMiCHUZlcwB=2GxgD0DotdM;
zka_XOLz6v)Wn6MoD_Wi)PVQEmwAP$_s^mlyCV`W^A@k|&FKu)3u;LVA&8c;jocJ+6
zmnR29=1)KUWSdicD^5CVPVK7XL~}YJPmYF6)5DXtIeA)f3bp1GR3#^VGRWmgX~_KM
zhsU-#HL&6oX3a@kB`1Ey$Z@J;$h>*)l5I|2#7S3;?X>_WU5#w-Wa73@zO&7#p%o_^
zw&z<VC#mh7Onh=;lWk6otT@@Qy*5>HlG@(M#LJg2+ve2Rijxi7YhNWNsqLLiG=2Mq
zZB9+BIN7kh;3_#uZSQ2_zOR0^&8evsCmXgGQY9y;?VU{g<oY(-oSG4*uxe~i1x{f#
zvOR6c{P!v;r{-3iY}lS(m7Juurww_uWrpoMd0TO^VSD~na+2DfHssi`W41Z9u;OIH
z_5!NpB(*(li0NXcZB8mHPBv^$T_q=}?P)`nAO6-hr<PWnY}lTzN={PS(}uivX1*;>
z&e$QwXsx`njk4%$o0}Xf?Ot(U$M`W%6x{}$TN1igXN*zGiNd}tiMF&LDzzxaek#$}
zChAu~6sBZJw3P)>sqrvID-hg3z*5py6+~e*mPFfH5S7{qvV4%)Cfd4!C=A4sXrKjA
zsYx(4X!!-(MB7vlg)LYT)mRXfmOf*nH+8d3)Sn|-RFI`lGb~n)H!pp81CD4BE5OMj
zJ<dcKpgl)!aAl8`3tF!tol=-qbGXuXfZ>V=86r#XlxBBz%<f*1yJBk*+YQkMqal4n
zUQu4wV&xPIdAv+cINxW$*(?J~$62R5Rs_hZR4Q84GLwpyQ7WY3??kEiJ5ehB?iH-c
zwkvfoEmj7Yi(>C!s*7W$28=tiSuS^IOogK<Y8;Ru_ln#ZM=DSU;<EE>tJV{$jYC=z
z-&(aMESgrRcI@BHgbQ{JF@}yaW*O4*vI`a~Q_XW@*Vv?lG)Bl`Kr!b*t^(vjfzh(X
z*qMsg5$h{d^La&zcMiyO0}RKp&=Y4Im2=x@$jiWq!oG&$!o|vN=KSQLCO3}XC>*xC
z%@t=J4i{0us&HJ>z=|=Fr{ynE2UHqD<D$fgVJtUwD+1XL=453}Om?grY=RQ=!&ov!
zT2L1W(W<*ZNWp?j?NG8Rb0YS3h};tgSaZ2@1tqRD)l{0j3`K=TeU4S_lQlzW_JZ8R
z+Q?ahQ~+8>7X?^>#dbjeCrnnbqS7nBFnhvcWrn#JawjC|#hvEOhLO=(ZW_W;erO$1
ztY)-^SYgooooLYfooLYf9T~K?)E?RPGv{Y-k1V7>`26yz6rXh$oW_Rjq^6I^LA`|1
zW6TrEn!<Kcx$2k$4N$c-S3hk<l;<A%73Jz@r3`X}TaaTMxk4zBOhONdG9U<V3Kr8i
zH;l!x-*_d>U@S-<Va(2ibe+w~*}0;gUg4T9BW#+aql2B968mz5HO2NF$;l;qMec#a
z%-CX-5LH=ELham4E|ri~2~$wYvXr!(+Cs6i*u$ngFq*SqWIYzMbFYFC-)~mJ$kcW9
zM>n8&Via!4$a*Md=TQYCzAvqW5kK0LbBrP^8R@L*ie3FG7*YQ!6t$#OFk^3kv;SyW
z`WuX+@}7>)EHtQIFy!Q*%j#!d-ttChS^9G=$tW1mQyg}tvNoVyc>&iP{HPPND{ooK
zy9lwXq74sf%M|RnQiY9rqCh<vfJTc9N$h>7iBPbPrH+Vi*-<#c0L|l@cNF#UCId$Q
z1N6o`X^Ux5%j9)2)*HZ8hdkt<>eiCl2%(lWz&jGq8>cMQQ&g1E#;2Kvyv53wEcDh8
zdaKZo3Yw$t-U$5}5zgdzN;`j>11hmqqS1hZS?BM7Hl$)G;DB?q(!2S}=h=M8BF{n;
zkvo2Uk>ND1$Wl>=<GD~0M9DxEE<*FHMT?cq#&WG>MGWal=rA^1M!P^W!EYe#R>>S#
zl75siKZG#X=;aX+qb1BYkrIq%CUln`4Gg63ixCnmPP0teh%J-I%C9W(?^3P7`TI4J
zXOwatx={^&n`H`wWQvBMC8jxqbMS|7)9Q#EN^VU38V8U#eH?CzGw7->$S`4Kq-3Ar
zoB<t|NLP9Rh&b=O1YgdUD3vZtBu`xC$yrKIJB25s0-zUk?p}300Q+Fgz@t9=K{5Gx
zg;;1C)_449L&1=s;@q6~7oF&JMC}&$IN|B^JApk`ltn6A-JSO7{7+X;I{4WeeqP7E
zE?d{{kH?AU`bMu;dF2FL40-%k$6LmIEgZKWd40vY9v?i6ZtwR)({4l7UJFmYxT*i#
zsZAPn(yw)W{n76Id;P;_mv*1Ktk2qs-;T~oEbBafp|Qonch3DDAwLm1wsq;BrS(n~
z^}f>Rhq;R)ZXJvH>W<xxEzO_r{PUgPUiZ7XaNF*#VZGk(5u=>G_2A<3Kd%2R{+L&E
z(D7YuehGS~{oJ=t4LscUx5it(A8H6a8@m3g>S5h^9!It~&mDF;OVv2=+XEfnn)~DB
zF9+uA{bqjI{7GR$Pxd-w@*Mt4*YE3padOI_DbR=s0|;|{t^IP{cL$-TFccG=Z5d`X
z<P-!4(RIdx(<6_looC;hxo`T}lHTWzG-@?Ac<sWN;58-ehX0fiK20w-{o!)*rw&eg
zlr!GB_xQce&o;mG+l^PhQ+X}h;Be$-OxF`5Zj9}GV9K;(Gv8U)N;#-_^sF@#FK-{V
zH|6Y_PNy_Y*Cy;xzvkgO=VJ2SKAWR6&K`3+*CXz-F3oSsx<zA#ebwUiw;Ep$OZ?&&
zuRdRe58u3C{V~(lBkGfHB_EpdLBO3jMPB%;iP^W)-d-PkD|O$(^@a`Sz0Yj_=(jKb
zL{_XbI%@n9uj$C(ivZdpD;#0SH3UnpN%}l}mcd9C;(Rj6>4?fL@<z$q;}%{FPv7Go
zmsWOS^PXQ>%!(#apRPK$^72=AZcPvW{F>*5<vm>n2CQ&&dC_nxXwJ_2lLFQ?U4JQ|
z+0lTU8=p4#_HJ>bW7}S?f35px1-(mrFD#t7Y5O;-FSob9(DGiuH$!*%jqLnVw*lXO
z@wn~HxF6cLc9KWf7XEq1@VliLpdD24FRV$#=Chz7v40$R>ZPXLybc84o-*S1pdU64
zYBAlgCOP@X#+RQji<uwVr~8n%{t?u>-?9(YvxcwywQS2mmt6|uiIxFP6I892KGirZ
z_xq#Uj~oBdf81+*%d#A{W-M)d=**Dc_YF8O;ogOb$^F9fyT0_^xLLbY0e7EVXxiY~
zkz=o(N+|pO$$~a(`kZ(?Blehc?<LpgANb_(fs!9yIdCP`QF~bPYh)L9$Mv_m^$Bu4
zZqUrs`{iwE)$9764!1Om?;me?r*XIMR)xQN=Y_TB{6C%Jw}0uXM(4Y{e)^c_A3MWF
z&h{*9(`WtEws+FkdfrRRTGwx;+o-eau5^sqcI$|9$k;B2PQP=nx1Zmnvk%(;emeNt
z?t$@+Z@9fSF~eooqGu;=Yo}h!PC9+8VVmFHiE?vzIdAhYyY*L&x-38P$(BVwe8F^Y
z9`2DEwBz&4O)WB>w|lkAbA_(UrcbzVxasddbX>9L?cbj-cIokpW5*|F*Sq%LcE8E1
zH;*)*^!2F64m&2h^my=c^GRFJHCH6{Jm3)bs^7Yf-}m@>{p0YBr&<=oyS{mUY@>P0
zwkM9CI&H*fYkDSWvgTfCI7&0&_!A{_N?7DKx6M~QJ9SH)bFItj+cWCln-k!p+}o<h
z>!mk(Y|?Hxf8)UKir>3W^lUynBcc7!gRwt4x9#%Q>&CKIo1210{NnQ2<*z=tw)g4X
zQzuql+dJWxZ|@u^+qJ!2&!62|)lL0*!M$hC?&a^lKiTx)a@YM&yFK?y*wELXj59s`
zVb8G1B`YU9KSuxJ&S8Jv|9M@DtCRoSd2PSx+}rz3oSj=|<-$gF?{(?&*!#mqUf*9|
zko@G1Uu$=tC5jg#cgFmZ67O~YS(DxkH_y(k-{r<a!{CD*H?H&gYRtz27Dr_6Z+O(}
z{_C1c=~uE#Cyop{a`=^gWuucnAJF<|_voz6yZ-S1uvw?Ufi3rWEImGXM&L5nwmtk_
zxUT4#T=Hoz&Di&UE{G1;<NZq8tZAp#KJM^f!kmaCZOb<ORSlwN`#BtVe~9AHg(bQ3
zR~C1UAF|Q=dPvhcm*u@3f2;HElE(K|y%zgn&pV2v=XFoq7cYA0cJZlot@Hf-iYH8M
z`_EY+0W*4jE1UgGlU@fL8-McCuj#wz=lU(ZeSYmfm6}W+#~-(~c)R%S;rZP?-uOEC
zXxkb7552W_r?m)~ID7rL`*uBk-Tg<MLreB_U7_@jF^0BnAX~kE;F#IL_l9R4y;q#{
zopMiE;?ht1kNwGbbKd-`BlR<Xb^pZk%{7fbxq2(Px$}ga?2CI<CE?TFH_jO{wW#66
z4>w$`AFyTJAIrY+93MNQL0S6V;S--U`(UTX=_ai-H~-LGbNpa=Sc~Y_3f?{ESU6#%
z{9gSLPgO%##E(}+&UU{taeJ3}3;XRkzi0HPKP(&cY|m%j(@TCkzk1Bnk~-Qa=d=sI
zPI}|<rOavTL!;c)^%X9&+J7@`&Yfq`u^0LU?l2xd^;6QIk7P}JH(s0D{o$c+vo`)z
z$J8-*LHdc36|+9w^mUJcOLK~TUHj^hO%7Qtex9;rQ{z?r9=gS}x_D~fS3^z}4Y*~x
zHZJs!Umq3)Z~frbM?V`TeXrR(@r@rd?%aB$jr&9X=F89hl#o3B(HqHoAAgqB%fI=F
z(4*a=SN^Vi5*O0+(5l5>IKCOtRX#ZW{`%w15{KXLYL?x2LC9~77oClW?itZ!!|y$g
zMQ3biczBRj)+T<!*Y6FwakpKU%&m{!+4@4ib<4614HCR=y{2w4JGI>#tDBy>`6y_>
z2N#1Lwf$jM>EeCPb<(xVW50=7y{mEG_;XpihwB{c>?>Pvc=b=i&-VF8_~uJ`*?Hp!
z2b1$$C$As(RL$JorX7hGaXRaG@_QS@uU`24>FaM@%}Q)9Uv>0qY~+o*J8teCH-2PM
z_WB_QzwoN#dnL!?l6Lo@`tDENK3|>s^3WNd7)rhg8a(oB>bqzD88xDTZrP^CAAYpq
zgQ&cY;b%TR>8X40dB@3XyrVx$JX?0_^o@@jdEaXF@%)qnyWNHyoOz<}!@?uOT5S#3
zwb0IQ_4(`1-F@exs<lVKg2f-*+IZ)?yj62QZ@FyHc85AQl6!7;$-Z+szTS$wj*U-$
zSKKaXXH(zf=kB)8c%mB+ap1zu0gmmv?~spMu;${fanS>wx=(YfyS$&_U}N{uV^Wef
zb?_Zse@UA%pJzLqQkRT9wb8$M%-x99CzOT;M-#toJ9yp074s*b$Q{1dFv?+ilh((a
zZXAnl@cb9+`-h&|7=K)!f8oz93(Hn4(!E5g?-%;bz>~}LsSZ1G#&7q@-*V~oM#g0W
zZ+vln-<!tE%Lnhg(B^hOx$|3>PxmegPH}S{c{IZ-^k{Lo%f=ONzI<tW`qqQ4DSHwY
zsmms(uNiwHZ~V)ndpS-Yu;Hm{XY=i9-L*%rT{`!B*_FK)GTS7#9Phm9#E{-?x3$0V
z`7+-Tb3WPKru!ETIg7Himz&(by(!}Elhf_>;opCCc=CJaoMx|G<=wZ(rY(bli;ip=
z+I-f9<EsWtl+BEb9}}7w{Eu#<XGVQ>v1p(7wOwTk!guPz-wg-~DQPwA%a4C~tz`SR
zAC*0B{g2G6kClFJe)saF^+WO>H(5J&U&nU#(}!+6|8w|+wNY!XHJj(~=aviJ`|j@x
zajCcam&s=u?db9H$OFTinly+za3Lsk`U{(y>h^5XpD9_iU9;t(t|Vgz`{&4^JD*_?
zYdzp_IlFM>4h%G!VmQ*qV!*+VvbbJcGVBmWT}e)d)t)mRPaCJq&;Me#+oIOr%sI2^
zyxol3p)O%v{d)iSlgs7+WzcN>{x`DsEPeA>{dDbB&4>+6l+WFLZOpPmxgY&FKeCTk
zueldHW^5TgZGL|EPYtpb_4H3_?bpXYNb|a}UYj1TtT^*x-``3%N32=U|F+MXccVVr
zb0*<&QOT+Y%Vm>}`t3_|n|OgWUXrrRwDr%3CUdibTX+q5);p@;;!J!0)t{Wa?z?<L
zqT=|V-Mc@&hK%u9m&pTh#;LMlIHF0MjX`-zPjdp6<I;-MYUookO0`UAInJv{*cby~
ztAUe5{g#w02VE7EzO+S&8-iKVurz`S8ZTlkSSn2wCXv$9o=)LlPH)eKAonwApw5<K
zGPYbY7s3NJ54d>}9K~CzYzCkZ@9O6_?tNzDM~7~1d;7P|4Oth+!T1-eBh6l{t}DmH
zTH;1wGU<ZV3tFa=V~Xm^h23$bk1HtI)At^nOG-=WI*h}&<M8dd>og8i%FWPtf~~Ne
zz*wYgDxMs|?2Z2v!*nk84DQ+*u`@aMZPzxEus_0sbeoT5XzzAyD+#}ijUGEtltDfj
zCZd$f5YBzkRrFmCtWdUQD<rz$rKz}fqLm=d^@9}9j2ufBX08jCn|5-g5h=mH1iimx
zMpuqkMP0ecE}~J<kjqjw1n^<HLYcI!WEabSw!(HPkano-`A=5-(v`7-$p1|xL75aw
zK=c_(q4p&q>c9@=jwK7&r#&>RM5*HzT6X1db!_13qhWHC#QPIvOKHi58Kb*8c<#y-
z6x~sLdP{<_uW*+M-ye%7^%z(B96pk}@|Q|WpIA`oQ^mEj`%9&7UI*_*{ogEkiLw!_
zWhwB9YgGraRw((zgk?)u6!V`_;7ftVH;hGcSN>9IUEm*!rLbF8mnyNi=vYnF5a}mj
zB{TyoqdD9jgov%VPv6L(?vDCTYItj!@)J792R97ARMrQpvctIV`0&`8U)}Ki7wY(^
z`Kl>@f5dG<iQuIC%X=#RQH`#|pZJQdCW+`hic3PoSgb}Hu+3z^nF%AefS!$Y>jG{g
zaWt0FY3rdX=Li0z%G&U!MeVsl{>gf%!KPM~P}Ct%UyPM8PNzg$EMHnkrdR2x1E;2(
z8d5rt?g5~MVR6twi_3rI`%ivI*9y=YK*M|b7E@dJ?Evio^tuAQ;}8U(_vh3AI=o4n
zT2ywl6+|Z^!T|KX7QJpoH0Vt@@%vA7PfPgd^SMff)}Q<S6WSjZ3y1^61G)hc0NnvS
z06hVTfFwXKKr(=6^@iUEkP7Gv=m+Qz7yx)4Fc9zpU=Uz1fHwPw0)_#G1M~o*lMX)v
zK;=!HV-{cpAR90eFba?Z$OYs9@&Tg(V*o}#0iY021Q-h#2Pg)N2hd*dM8G6K31Bi{
z3ZN7q^Ri<Oj}VxpVC-x7+h7rp$MjF!FNGC+h?+%4LNM^xDQD>^84I}`2xE8%M=5w;
zi7<s~@5r2pGMOM4b2N#r3|k)j9c74&wMxgcPeMUbVo@wgA_{v=5RrfW-+A@tauVhw
z%Gu=A@=&5>NR*y03RpK3FOx+=A1EoNa?<GJ)BWXQD)J*Z>J$>SP!Xm_%>k_dbv**)
z>j}Y|BwL8UD!Q|9A{}ZE$nn&8tdeUjW^g4)eL-q|u0f?wFU-!*OCtHkLcY2lT24L)
zJ{%}6J^7X{1rfG@EZID{3O+J!$f#t*$7CXz#b=R1SSJtTc!+p8VniyQneKz;_X5%x
zIF%4zG%Ydy76C8b{~ez`g{A@!4HfwR9a@xDDbS$&kUPU&O(rovBK|W0Uq{HNh$o$r
z6XR2OIPxpEs8o@a=s>D(N^9vzm!hM}Oih8g<yod6+kJwVlR_U4#pxSAH1&hgoMsBY
zc4*=w(4-r1AC4wI6xVbn^AMtG;QONWPeU{dqz0Wqnl&;6$*+kb{uTe(aTz{u=rdJ`
zPLi?+SIU1Rle<IM6R1W4o;pUg5T;HwK?tkhrwC!fj|M0}Qx27p5_$R#TmvrBpCiO4
z`U{0HrCl$C$>Y>5$g_nIQ<Yc=NMRod;d(eYa7Kc^E`;5Hr(&S^9*9qdMq$E};fi=#
zClci>1)BKDWK><3C?auB-IB>fxw*yN@xBXFar@^Q-eU>fd&SXnXQq<05(ZUb_nsV{
zlG5`gOx0IkfSu-1`MGJ?d3tI~o>Qe38nfDu73nWgaQWx>77OXb^deuaz*ode{axsB
zx@pzSkLlzx79E*DxrN(>vPd7NVqtQB7J({E@e(w);@Q!bI}>A4y4WyFYJ7TZ%2ykY
zG)g7MYjz<g3meWL6=BG@$R7bbP#m6%LPh~+2PD~^LauahQ1%Tqp_d1W!~2sjSK^&{
z-XT*QJ`%oMt`yP8Cy#%ge8eXkBS(DI@Tqhu{NL%2tGXYusKP>Hc3KgR>Ztlh59_7R
zMWD0FCn+EEnH-IeQ)*F~XnFntZJiw7u}cVI2V*hXPB&(chBYnDljWu6v&s5&Su?qh
z$IujGetN84QK*-V?VdL_e^jJlSbR}lx~$_^HaJhC^Kok9)TNEWXooW^%6@Y1zIrBF
zrxNBV8%4(HM%Kxi$K_>wsbbq5cWGUBX=Npi=5A2Ui`CAIbz*826xc_fmu2wx>4rC#
zeA))38gfz$>4i>H>qeDM8p{kZI5iR!kMCmU7Uk&sXkyYdvb^+hKGWQ0G)q{ldAC_{
zM&0JIVQV`?z@nU<o7>F(6_EUk&e-n>SqNMtceVDZ_lBEH)e8<L#k(eg?=B+XSA^}v
z<`G!xU*y~|lm|4f6WrT0wGi9`aY%uCcbaAh&Rr6}B~3d7_qGIoNRn1h(-Xlhl7tUQ
z!Ve_j1R<`Q;Ac~<fQ#g=<`*$ec})=>3w6&d@=$?}Lh!S=YLq2UL9CT>>W3HF*MVYJ
z%Bin@AfukVvHUH28lfmyWBD~Ze34V(z#hsXQ95sNu^!3}Dr9WG9i`Z7M>MkJoj{LI
z<%m>LniUjMpnH+RLb;tlp=Pou|B@_q{w=aN{UurI{<q6QhA~n8=n?tkl;~i|E+V)v
zhbq6=vL&DLr-Cuzo@~I5J$gh|z}GAwG1|}zb(!j%kPfwG6!R47l!uHxD5qi(C68Ku
zN&V*Ts=ZXSA7a!<At3r9-nzY@v3Z4~cvQ!f(98od5%K{y91F^b_+dF#hHuo0t~|>?
zM6jun?BU69KBdTopR7_!X)3yB?A%|<Kh2+IRJK>a_-pu7w8ZWX{0<;_f+x!{9Qf;Q
z%-c;SUvQs;xVGlclopTvf+OV-v#RIMmd%$HBc6Rt=Fg4H%8vy9uXg^BUd~d5xw4F<
zx{(A_x~b(eX?Z6eC(fT`SiezYJ%m0qs>bYrrWhKW6%G_IYO_#`fUS7Sr{k|WtTmNz
z>t%eQ%VY^8Q7Jz^Qz1;e)r7+;Aw13zjvQ8Z(gsgdtHpUZ;UW=(d}<wdS7E7y7actl
z!&1L0JpW8gS6NJ=Mj9ju_<7kiiuzX_&6s$W=Ic1b#u`J||4xUDZ`)GY$Pyo$X5!bT
z8UMLyA18OG718<v`3m(!n1ouZj?i=nEMjhIJG}MaDff{1som7NuoCA9-E#7kY5E-5
zm#L%m=~1$TczsTRp>A4CsnMV>)TiZmdb1RxA;XZKqo2zhx@WMmzQ!Ww$jG?j(fI|2
z`c3hYOYZ0#eW4*%Z7^n!o#wtMvZ!EqVSaA*1V!{Tva!G7`18`@F?UU^Nzga8X^J2&
z*wutU3L;GwhLx3lf4wGjC{7dbml{k>(xoBNAGAmXN9V$6{q(OoOxkO`{=XQ^4x@V@
zC*6PeD`hC|KTroxdf<pwb9oET{}kqRwd}uotROc3>A$2V_cy}-s{V_5v5Fo_8v6J4
zU-RwQ@QQV0QbZ(di~RreU!;Zqa)<uwy-NEpYz>!kFQoW5Io(%MuT_j*OI=F6mR60=
zqBK`<omMk+T56p_=(N)G(K)h@sne1zjCT_{Eh859`A#dv7|C~9=(Bt>*n3>36<6#g
zbXta7#&=o<qjUCHxv%@wqJqNwM&+H>N&OWXwVLQPH<}T<wGqb4up>HjB*zgGS`<z&
z8?ouIPZ$3;EZ!I6Hu?&>FUEbo*h`GUveszquVrI>SdV?QY%D0|VNWd>`+bC?cN_}<
z^kSF_yo-UOJ~IfhDP=JJEre3gYh!e!l&RRiqjwSM-J?|O%TYY~uaiPN>x+Fk+S}#-
zgMt1zf@1PJ!NJ%+q!+2;Fis^Y3&AH1QufF50??s<n^0lT601*~Y$|Ai=&CBs1yot?
zhT703jekS_mNqqzlQc;h{hy}I>Pk@5Z`JYW9ZlY5RM`7X!=5a?xJuSQ?~aKjNV}~S
zZU?td!CP)DHY7qZ+la$Y16{{KR}q{IYY@_)>;iGm$DsCG3vLu62I*oEipEcexd!cb
z@Rm!u&g9-`Q%kJGRxWt^$c4SAgw!?7gN*erw-?GmG~|wgPoY4_MSeI!VO*H{plEKJ
zCX5T|xVSOMT|9mfh!u+TmU#%qo;jU=pqFifkt3>C*{ET`7MiW7V|qNNR~q>g>9GD>
zXdsuX4bqw#1a4wY4TgkNv-LLU(mTww#Y7aT{!-oM>wc<Gw@7zEz!sw}``T<1{*I3E
zk2^teE(@+Vahn+=A3iUs?ly)k8?n{XLUPg`S%D7r5C|<s149<W+YXgQG@i%d3E%fe
z;VI2fsib(kwp{NK$N||7<td*{g}F`xOb5&W%mmB=%m&N>%mus%cnL5M@G@XNU;$tu
zU=e_3yR-!TD&RH162MZx>wq@^%K*y(7(22z0Th2F{8fOr0jmLP0Pg_S0^S9z1FQ$U
z2iO4E2zVc`39uRP0bmP&)`ZFcTLDlT+YZ<P*a`RuunR!^_Q2l@*eBc{5d1^%4+D+>
zJ_Z~Gd;<6sK<SRbKMpt{+@FH~Ip8$l4B#w);(a0b2>!2f75$5?mLnOpB9p6E)K}HM
z1;pAIdT=>rhaQ;kcmllSGS&#t1keoNEq7yn!j3&u$T@!1p)xfRMO)AKac9L7nMh9J
z5B${*`w-GIZ=R?N)?3UblRrMkA&qA;(a{&qAs1|?lGyp6a#eSHix`CBSFwj321S}o
z!Sb4<HkoL}kerIxp2gtEgx9VuXYIs<T31UZ8fe!tuE|7`IC8YHDUc+!$z;z1QK7(p
ze+VV{U&`<A=7`GR@6z~Jrl$h@SJER|UTxR5?fzTTD_idD>OJnn)t?DRRf+uJ@cXWO
ztCRe8{IC1fE!#{fZ0jOEcMYFBB7S7zlBLTtr%!fVIbOt*|2+tlA}ywhvWCn-)+rFH
z)Xs6m>4u!r_HNA1xqo!j<C{2pt{9M=rwKbWSqO$`9j6GvFkLZ%c8Vl@`qnZxrcfYB
z*d|{g6uucD4@FW`%&_G6`0g=r!}`bdN$sB8E1?_SqflUDccfudq2^qa8*@}9rN-wQ
za|>cz-Ix<`=ANb(?myth9Gv;TwrfyCVeBMhBl(oK8><89O?EOiEN-kmrwD6sjV>a>
z`~Jw6$;2OSh?(SutxK!_qx)bg1aKA)<@R~eBAGT8$?OH{+^+B?XNV;rqHum{EVmuJ
zZ>JlpD_}`_eq&gZ+K93@Am2DDEkA$MDBPhbmC1%P(Jp-C)L8NjY-?=(;Xoy9M!}UP
zl?=IhXok_KaJCeTFg`wjRCIW#D(A#)*3jR*Rk%h%knF|WRf>`AFDoUMGznC<lgk&@
zVWT}A671MCyb$BoMuEep&6rq7bJ7d#F`{9Sa?g<ta;MI6Cr7za=Bc!I@TepA;JOV@
z<}B~gN$%uDAMmUv6t%Jot0!~DEG(W*s2FMJ<A!nSAXdNKU<}XIvAR%g9LD8=aq5Wp
zK#fYRi3*HhZh;tvhp8iCbg>wJN9#&_wLus-seLnZwQBU6IcdK1mxz)4e<I5DDtG3s
zN=}pQQzc?XVALDO2eXcGY`8|Q?KV-ZV1cuz+BwS=F6t6rwOl*jx3n>ndF$2e7_0BF
zu~a5YkJUxTMY-v8(Sb}69*8luP8}E>5{kiev@S{)qls6=M}&pO*{26%#EcKv1ZNs@
zl-b3>GY8NY8I=0$JehNPer}LFcjo9Iu6C({V=+yi)gT1}+e~~VD=*zJqaavO7Gx;S
zP`zXq*}ha5dNOhBnNW8d_L;qyY+`aG_b-oK<ORtJmKn*90zPIgkua3O2kXc>GHq;p
zM66mDqY4a-j*mK&6CLOl9UB+Q`bR~n{na|%LAlnxV{U;%{=A$cjZ~VjAaz6M+|q`n
z%vJub9jottST^w2#?h@&%~DX$x*>FMQ3f4hrNih=`XxAOdpS0n=9v&J(;Sj-q%PMx
zS}wC+9dNkOl(Q|PmF=Tt%Erw7pp0rA6aNO1asLC^jrqJc)t+US#uOZ6QKe-*X$NI=
zvU*!C8-Y1{B)Uq!#je`r@3<xhoQ=Gn6tFvA=8HwtxBzscsIDorP;xNAjkW7LiuoO?
zpR>x(aMLeaq5YhVQA}}-n$=@Pw(AXu^f%orJ=<O3&r0xXxBTdah*ne?!tsuO?}grd
zvHal_aJ45n9C#v=1!~p$R4d`i<2}#cPvJcrQxgL2A_6kIm4_Mkof7f(N{MXNkxMau
zF6}hL*YSxw9RG_5^0eyX)`pKmjS%lJYMi5&oF$R7vx4XpQ;c<ABrU<o*&<2I4<%vJ
zuBJkzOpa3{A|*?o2=}f<+(nYO3Z@qeOCp~bjKcV>G8ZMN+tzb@aHdixu#<~X_+Cr6
zlZ$0z)iDX&%Fly|U6hE2emEz#z3GL*6T5rDsg{F$gm_T^Q47H$Ld+~k2xj5*K#YX6
zqS{GRIt$cNqPQqYIECjUxr&n1xA?PRk+HoHmumydSxZQYtm)r5$w^ta6vYO9H1||`
z5m{T#*hSW2{xU^`qmWwYibQE>BriH?SQJtwFrqjuCE<l)BKX9M?>iB&>-o<9^E=N+
z=5Fo3?VUrWSwqV?NmAS5WR`bH+$|QI<XkUJoD$DG3H*IfQ@4G0Fg1_8+DFW)nD<-}
zA(|vVs1gNQBo+^7i3LF?U&$SkJi8$YpW&WLFP1#`QJ77vR*=KRlRKR&$WcyA$a7ta
zg%f$0N(mS{4-5Me@fR)dLN{P9XHjBtgVq>HSj=Y-&$XVNVgaK=nx9D{iR9xg$oq(i
z>@tu@{@EDbXgRDXJo)K(>!UobT#vYB<o(OZ6cZT-TVzNF3EZ-hNSH9R>@`l*N?m#q
zi*cVc1}#Qsh!_W{7F42DAXRI=c*;8vpelMT+;A?^!WVA2w~Qz(wrCU<)hhMP<Is@T
z+zDbUg$-con+k&UD1|88OAD4bdePz}UwNhZAg+JK@vXJlQUkPW`LEVBSZAns^UrF=
zUzJ?a{bx;85i5Cy8HbsMD~V=?-i^DX0>=Db*T-RKUOPws@FXqYnxx*3NF#)Z=KO1t
z+B^>Jzmqk%07wq=r?&470!>q5a`xQb5dYy&BX)(lWBoZ(n50zfMDcNLUHygg2h^z5
zl>cXl`&1y-J+`yY#CTmqT!+}$@W7C;@UTE_v@RqtLKhbk7!wvA8y6888Ws`Vp~T0<
zi8EG1XWnLAoMQ9Si*oTHxXxDg8r(WTEjURuafo5|6z8@LoqZ}s8DNuO$QjLjW3IT6
z#8U%>uQ(Rq_<u}(?r6LRkd|Wz(RTI;=@6pTYQYB)Vv@Rb_KDHOgvF>eVLEkum`*1J
z#E4Ca?(7q#j?zZyqQav>c>um!OlP0)nDDsph|su*h>+-r4g@heJaTawl#pLgsERAb
zTL|=N+U|Lo`9oZs%5$gbJTW99L>mi^fidwN)PWjJOnhKO92BTlN2y~vXf$edXjDnZ
z{?TzA%TuX2$~0>)z^<wR1bK~i)`Y18R2?({Dveg#AwU(b)&-~_xMge5IRw!NH0lnB
z7N!fKXrgvIYeMmaKplbfVcH0KYRh&A_Y4;6R8P`I3lRx(edfxCza@`w+qg){+PB$y
zQ4QQl0QGD1JQ6@nWdcA6pgQFNm;=C6id(OzdO_>(^#LCPs5zw(zc+kZE}$7SKY`{4
z395dW*#cja=grL0V`V5iuQ0!01d0m_OL!IuVC!OK4gnWrT-b2$WeQ7%URCB_e&N)G
z6+uniUct9M+6Vl$ney+6j8peZ`A-430%%^;5Rd_&UWIs5eJlh}z9#{^05brjk9h#n
z&tZU6AEZliynI;j;cqMTu`tEypX3ospDP^xbCnfAZADPSu)f5lA`QEu{fR|ula5I@
zUZ3Fhu4%8j=Iv1ga!}j$_ar#Sk^<pm+|D@;2?)EYJhtXnI)7GM{^vkGyXGvajagg%
z)e@{_gull>%9v)zE-XmPd9kn%Rga91%0{e!{5p~@NFB&o)!2Mv4!-G_$HkLYq*}@>
zMwg)m+6i-UmBqN%7m-?4G!VQbXzxP;%VpLVQYGVGN#~virH(Kd3WFlpqYh<bxJUoF
IRHcFc2NXD3_W%F@

literal 0
HcmV?d00001

diff --git a/tests/test-data/office/suspiciousMacro.doc b/tests/test-data/office/suspiciousMacro.doc
new file mode 100644
index 0000000000000000000000000000000000000000..f618a97ed18e6160dc6202f873d34221781b9e0d
GIT binary patch
literal 28672
zcmeG_2V7H0^P3P5P$Z%vVvC4^NFWJaMM**sP(T4uKU54M2oeaAh<J)d#d<1u=ZR;*
zf(m-Jvz>=}g4lcSioKjDo(;=k{xdImiX13<-~aoUWAmH0yR*BqyR)-p_U*o$INs>`
z(x0twkSeAdF(B`>Cd8-`o&jz<+RrAWBe)UwPOH@-x&r_>>&*Wl4wSAaB4%bLEJB`G
z?7~JQ3}{&}#^3^INTP>D4@=2T$)>O$J?gP6iEBeb*cAm)2q+7mGFq+q`{0_~bcA0h
zM|eG*AMJTfb?#5uP3YucV<Vt<jXqs<b^{3C2H|Ma;SS9RQA1Vs=+k|z{U@Yf4|IRB
zghwrHTZorqMaWhrA>l0u84Ld7kX~ODB=g?Te4xwsK0xoF@io~<x3Zz>(Kelqjzjxz
zLpn@K`)jhR(y8i4{!}(Joyxe{xaoACqesW94b9rbsY;KQx9ijQSuJol`@S>Kcsf39
z(|OznKA_yb0jBc6M)^ZS$2$db@F~A8^zT3Ed}vCQ+Y9BAF3;y|I(<!cP3dWQr0ts0
z(|DQ=?XStE<5jh*^0{g_?WgI|?O4_RTzJ*^|1Lk>UUWHYYt!ZZQoAPlI5wM_5i%Hr
zxHCw-A+dmGJ(yAI%>RB4K*QCUe=-O3>%2ez$vpT6*4@Z5&dci&sBilAulNV@;2&OP
zT%j@qgr611=$y=MFC}d@jB(;@I3R4hVVa>0K)bAIhPGKrto9oSX|`bx(+Z$L)*jGJ
z>dgNa4zxBhCl)Xaq%q7%J=pWXA0aFp7RWq+oX>zeY!H18QbA%q2Q|^?25D;w`|rT#
zLw#wwsO8e`n(S@0h*LFf9P~VYfU5W}_48`M`!A*WpNdbHJsH{;-2wpE_#pd0{LTT~
z1$YTy1bT!eKnDPK06%~TfLMT3fXM)J0jf*K20YTWhdeF-zwZNl4IN9M^G{Bf1@-p?
z-t`A~1z-&Pv;v3#7z>aEumoTOKq0^h01d!(fF}Srq_6=v06YL6fV!~%9AB#I(;Ub?
zB+!8L2IvD2<<DRx`qyJ60jL1f01$=v5;EiuEfeepx_x258Iv%gCQ_0_V&ItqPeQPn
zt%x|#ilQV18>#6i;qG!(6G()dr`n|?kTlS%pls5d2uU<i0ZldehH(Fqi;Bod9OM^I
zVyXO7;EAR`V4i6=flbrm!K@Zcln^%&s40k?a7Z|~qQRx0{Dib5&2WHmJ!eE1rUnX~
z!w@i1L^DZ!pv)r)oafpi+?Ugrl4n$(^aLvLP<y1>3tTEFha6%vseNQZdiOM7HGwxL
zIES_+53ZT-!j0&bz@o-rM~an6YI%}6DtuJ3Ts6okEm5&%_Tk`S9$QlG|L4Rz+`xq!
zeT>^bn6Q7={$*nd5Bz9rdGNx<yuNSCdz}gw<#Q|*ju&0ZbGqD0+1aMvmg0E}^8(jD
z6?L+G*rLav6(t@a7uQBi8*gpZRl34_-t&UrcG!DN(F9DJAG%`n-Q=OYHhRy>N@<g|
z{L~vy=3%$g4w?#0!=oemT(NpMZMNsFgW~gd47P4))!+N^o!9ehZ)R;S=<Xi8CQxiV
zaZ}-UXG-&5`yI3tIUV}d?uFCxPSchi9k4t6b@L7P2g}_~y5(QvJgq;&qIg4tX;H_A
za+-7R?&^{=t@QG_0g4@0XKkD{#(nUS;3934Auqb$Z+!a5xX5w95v>+v@FRY$IG1;?
z5cuQ{BMr7eREk`oa(2RJM&|Kh#k>Yn$|miccrv}usbZ`4sm?31#Ll_t<c9sYIGYxi
zTRglRvfs#byK%<yvhr2l@78_$`o^4l9LxEujf!uIyC06bk?Or`+=PRZmgluMj!a9Q
zoICpRmZ%-QPv&+#%5Sm4e=F|?3-hTLLw1C&6UCf7$UYS)x$GKkJ1%eb@Tl``=H)cM
z?%wP43(L^+9z)h;<{#8<D&`%@2`L)4-tmrvmE<v}SN!ehrTNac!gglm%U7RiePYYD
z*XJsrDu1nL!l=2H6QP3B0a^m6<K&5Q=St5YX_9oPJOw4B!I2=-Vh-EqM*7l`Sr<KI
z+wCRM8xODB{*s6nS_}6tIkoum`8&5JdK@cha&|#avjL6^>zPfLA9b4g%abvVc`foU
z`M2EbsJOAe>D>ouRtGoFY+Mp>K-DL`-Px>3YqwnGoZHgrY}+!&tAl^F9p?RQkAC-0
zmv_7=dDy9gDbut1!Y@COIO#js`77q=-Ud`Ewyp|%EOzODqu;hT*mPIDr`=uCvtOKD
zn_2X9S;+BAE?a+&nc{uUf5qdc;UlN5J~d-+wDGktr}2dyZf8x}`KWD%W9e?EUvFpf
zFW4^VZnJ)M<kh~R2XmUY<VpQ_>g=&)XV+gF{o-2K*{jC~cQ~`Xa3Fi`%Rk>NnqPK9
zeazB!<~Q#)U0i<Z5AU{p3Vi0Q*mh63;Ys)H<qxB-N_q(PnY{Gr*0e|dz5Su<X07ha
zpCYw=yrF6EjqUAknSA%;Q10&&a(kXwaAH_)L_*)jzM&;O`!I*Kan6pJRWUkpi_Ekj
ztmB!&g-=(7PA~uY+h+x$sWYuY9}nVOdM2H0xP9S`>{I3T78bwVf9+OruV2~Kwaan`
zPCaC>aq<;k?VXfg3vcdNdhhnh0sMG&hVZAT`{#*6`S4pWx49)Xed9`w-rI0$#<y!X
zU9~duI!EN04X@_D%pdT}lgaPyw!SwuznkUYiGqrv)?)?DCp6{mFp|GYHgD6gVB+kx
zQ4<AY63k21z33sld}_Ur-~Pet)&-VZ=NCU3R{y|vCuMd!S{Qww+OFT=WgP42_d~-R
z2RNAT{nv!SylxB)Gt@TV_k%}GolmyBIdZDK*R4HW+V*KM{ufcl#=L<EXF6=@@Mpip
zKHcLpm$jSGAbxNCc~f_`-MhcBDmY@}z3yb~Z;VlIpB+~Y*1o#?B1HMyo8ON<+;vZt
z(0A??eqg(>$Ju4?o-9_5eOU2!igMiRH<=gDY)_NkEU9=jvh3X-$IDkuX_~z<?QLFJ
zNyV#*%iXo_qQ+HRTDtT2$sbJ?&t}yxYxLXmoQ*8Y``0s%zj|RC%ePtS+kGZ0aQ6JY
zOUF6N>Q}@~v`@KibYbf)Rl`;L40r4rD{YjsZwz;u_*Sv!&zig$CmFYbJ9Q0LHIL0%
zd-{O4SJZ-SdB%gb-EF<>%+sf7J14a4InZGWe`{Q~rS?DA@9sD^=gq7|veN!nn`QJ*
z^=_{^#)=FqtAEpsJ$!zQ-?24u4wGgDFvnipW;|gR_wvGS<wi3KBD{AubGLYDw5;J%
zmtI_#YdsRCS!5q-9+)5hq_M56*}(^sj|W}p@Bc)d(ec^7`i>br@A9X-unrz)9KY|;
z%dmm~g>CljD=VI{_^~!UO2=5`#@yK*9ALfR!tuRc8TL<ecn>Bl7L1;fKk|t|pn1Vt
zucEozyDv1$5l(jN_yc3vZv#|QoXcdfd&|_~Y~$^rL5uAoraw~MoH47Y^G4BImTbDy
zNv5pq;=P7O23t2O27fn}EspTox32ITO=<tWWgRUqoIZMVY);p<yG<{4oOOZGEpNf1
zJ)4B_6JE7Fnpya8<<b4Uf4AsIx~_btYW!-dPkFsRZn_?lF*?t<-Yx${z>GD_mDeV9
z8SHW8X-VIgR;7oVS<dWK+B2)@{M_+-k`C=S@9yHe*5r`p$F}zc10PuWI+kbKtll>4
z=PhAL@ybi5%uci#5ELRhWuEHOWoO8%T@TZj6sNt-R<>O5=+^TtNqZwU7R2VM?0;-o
z_S|Di^7cVTv;HuA{d~dvM*qqS;hmXXF=NE#(^p=)zSE|MsN%Ypqzb0InRz*Q-;{>8
zwtj!mykECqyD)d>6X){{GE0~AX!F*#UP$`fj8m(w^d4jLyeLys;_|IY0|&44bJM;J
zE9~1KbM=uTmZj58|HEku50<c-hsZWhIK8xB{TyGLeyvQDds!{5A4v0(CgnZ6J%_uo
z_}DjtS}9_G=*t-}>-_HMmJL_OOitQz*kFffXKafH6VGuO?MJt=*canIZRJGY(OvRq
zEYBQK6xYz=8+n^alJiB&a?dCSZQ0MvZ#sB<n=7sV>{a$!N^Cf+d&5sGbe^+V&`-JZ
zr$w*%-suPCMX-D(?wqMPb$Za=7uTPj`F&&W?Gy627Jl0<+HRJsC)!27YQC^Xp7l=C
znGfF-L>8P`me*_Py@@9r;x~6GlMN4xns_BCY00V|JI4J!=;fagE*V)r=Jq`vwR<VQ
zYllu#TP+={YHMAz=<vX&isBO6O>4GgwX?l><a*}^F&8;)EmWD`Ex-5Eon}DbSljuL
zI~gW7zHfhi(&neDW*g)Is}Hx&>3RCmzNs74FHM_wJKXe`a?7iuMS<U~ExLL-ZTN#l
zC*8(P=j_>?I;eTFkaeZi8J7en<AIZ#PFpi$*P`8X@&-L~58U6|eb#*kzfltY_oIx?
zuiCLBx5TuCmGbrcq9v09o{G{eS1}W;&#qo6IeWmf<(h&vmZ5W9zKb2;vUbg~)hoMv
zJHSP8xNsI%8FAYzBC@eK*rn5$xdkJ`l146gnEEDTS)it<{#&orkDHoK5UyQ#WZ6oq
zvOMVzo1XRAo~mf}iZQHTM+?7m%EYseFRaaPbnL;9Cw@P)xt*G8IeG5o-$En*Rg%4+
z+2ztwL)*+o>R%HaCZ)C?7^z~JoeVFx9dJp*eHwZ<(jaGto1M4z@V_pYPoA0Ff7OWH
z!`sIhZ3(n1_2^W=Q=Ho`-RW-aI#?*3Jv`KW)Alze1BaXl8Y^4BzdY&D_m5f~UF6ks
zb+3{`{oID9CqyYdlOFB-v0!1jH#6Yg;RxBO#MF9g1An==IDEp%C1DR5Mov7G@21G?
zkSo3LAb9ZWYm<!XRovyp&Fu0+M7rl1*4p{YN*+X966T&Xzf^I|^Zu?wm#zAbn%gZU
zQZveJ{b;RWbxRPllUa+m!qTG!EKuyKEJ1YZE^1z{v=Gs+!-7nA^O|IoPZ(*eRGuzi
z&+c$_>WQ^y3^H!JnYnkj?Nj>5Y@MUA(-i4%KgMs*UUaarOmK}Kx7ymc^MfCT&o4^c
zRyxZk)G~P5#V#=$hD?~H^mx>C=<J^MK^<&E?Vb4ZQX1L?e!uX<^zhf3b)LDI5w~q}
zR|*eoKjB|KB7Mmp3m9Ye+U|^Ik3LJ9&+R>5yQ#v{dfHIuHkO0l^%1HrPBOG#w(rRG
zb_-VbVjYSsDA-d171OQ07)&m_YOiTw4$&%^YL@A}dwxuy>Pq!PY98>j(z>;3!m2C3
z4+)#YlK3x6sY>jxN~!8H>;t89)ls4rWmRcZ6@m{m7Mgxsnoo#C@1BOR(}Hh*4ap#=
zeKs!LN!RYM2;`*7Q&jQFByStO6VHYtPm(EP;**AY+w=|h<9ga~RBCBbj8vgal6%{X
zlB;aGcQZ5XD(x&&qy$NmIY1yu)miFo6Q@=ucXoDG$zYi*RXHh><w+10t4v9hs==Ew
z)Hx<aIuZycDx3v8p1X6RG(O3O6FrpgZKF{0Z8+*QaK$8mD|)B^aRS7FD<%P4Qke{t
zGKisf&=?5UVcy4ap)oFW99J6SN@Lt;j2n${r!np}oH#{%QUcTnEgMd(QsJ*d&@LP2
zZpb}gBLSrwPFSG;!)Ye{yBg@q@6Tr;(?MN@9a{=T?tqPkN(+1XYx*4^_@al#VO-j+
zWniob%C9>sMLG2kwpPmkm9`D(4QjNK3<DKc28yl|DAIA1((4OY85sd8wj7jU3{ink
zMUo*@2B4&T4AKa5K{BBv1oV9g5d#S%<4*!W$M*%SnDiw<5E4v<gn=&%;s*de07B76
zh!4>qp$~>ZRq}%$T}*nD0;6h>eLl!L^wk48NhAS4Nk+mGv8bWbMi&cXqb9H8M`bs1
zx<~6QAjM=F85pt*nFcJa6S*FlMhZ>zM5v6w9S+q;wx|dP>LiE!I8b{fwHuKH;ckPo
z7))Yl$Y3(+88Hn(kD?4+c=TxS5k^KqnrKL=0H2E!m3w_7784Ci>p-rHtI1tR?UCTV
z2O%E1H0Fkwz(AK~wC!I@ET;BJ;vp~GUm-;7<cKvjH~6A-y8V!$ARxFiBh+z=WeD6d
z!n~Q}y4IG6Ac!)HAqO;=H`Wq!mI9}O;Hd^0gxG*w^NlrD<jEc;+in#VzvG@%I|l$v
zsV9I=FghQL7-Z@Ey64AnZm`G`Wb?<^%JJ*mHFIE^;WWd|WHT8*-hx+itgj7$8H+YT
za6mg5lRt6$p$6mA8w2Y9fyYX1!OaGlfMIf6O@Lz|2ow=iORp^sp;ZhU_GPHimcpmO
z6M;5M^g+~A2goY`SX!;tf{voMn}ST^pojyh3IO*nIWV%t!VmGdlh_wR<PhUa;#SG#
zE4=Suv@>n^R~{qg`lQ8AUx&o8f0}JfI@xWyh)q5N0vdsh;aLFKX7d1WURe%+Oxyr~
ztT_RIqbBkNhq(IyIO6^ZfFov0AcCB-2OCxz)H^Xei5m`n+-@BLHcoyDu<_(Dp2}r|
zJqB#tNzDKo^T&2?4L03?Ro(brDJWi+qEsnk)tr#n*m#+o(^n-=0escCm1$sEf^mJJ
zaEei?6REhhp~ctJtu}5yWl9W$`vB0!2OTSI&d-Naqm;Y!&Kq<iPoatwZ^8PDjkr2f
z$ALNy)N!DW19cpz<3Jq;>NrrxfjSP<aiER^bsVS-2R^0$GtVA9yU?ix`}=Ir{~cei
z;{id`;ZZL}y)+I0_3~r@)c3~#puV30fO`Zp0Pr&7901%SSqOmo`*Hx(-`4=(8QaYO
zsPFFpK-vcZs?+P~z3b|2HkAh?t<i1`nPa&TsN-yy32p#jp~K_Vas{PgQ^A0#Gj$xO
z<3Jq;>NrrxfjSP<aiER^bsVVUKph9_I8eud|2G^!Wf#?8)T!~^H|p`I4&(cJ{H`0m
zr^k2msK29bj(R%2lSjQDb$QhD@f|+u^GyKoqfVF(^?rQ+-5kIg06${X5}*|ThPMHm
z1JD-02A~~)EkJt!46gvN2RB#m?*z6ZfD?clfHMFO0N=F>09*iE0o(yFJwl!NJO}Vp
znvyz=BB2iPrND`^FEN(HkU{5yGGt_e(nLrh^(1~eOZU_?IzW9H%K^L^6c#XiI4g(u
z^6-w{*O-PNy>$L)*M<h3L7~5%)DLQpHyEoPW~>bzjAKoh4D2&>8ETu3>O2tH5YG7F
z5lXzLh`bMgR*0p_gcvoP4pIW9W@8WeBge7t*0%n*=k_80sx|+z@_0i2blq#4KW@3v
z`QuqX`dk#Eztl7&4C)jsj!pDAtg1AIgzlx}?u6{)FSB912sn-?teW5p{Kl}GNY@|7
z%<2rCe__|Z=3moc+Un?3heP?pF&bsMw){sr_fTNKd}{nhnqM;h<Cu%%Kg!pq#(!-8
zPmTW_ARLZ#5gh+J0^oQ-kN-Fy;2coX_>Xe~&H)|(o&a6|odLQ4bOrDR=mvmg^#L2(
zUIZWp@CA?n;Goq5z#o8~OL~I47eEj|FhB?ZhV{|g$ov0`hGA(y7|)>+#xQzc0Q(w9
z1Xjcx{Mi5<D+!9`aTN41tu`0pOog~x!A<qP_oAm`0R(-8!Q}*GNG(CIE79y^;CDzV
zUmDox{-n{(0YT7^9|}XC=GGOq1VWI6)%z^ytp3xsJ(Pk;!fY^K?2BP==w9#A;~>1N
z4o9<^0sVsi(e3t{kL2r^h3OfLd6<_5Wmc=@fE#UGLE-of7G)5J2Jh5E8_&SiT6=&7
zjd)C5h%Rnrw=SjbsZ09-L&rl~_hp$mSYfJX(qVBBU3Zipa?~5_xpX+9Xm?F`Ivj0`
zkCf1*!y~40jLL2-&Qu65KK*<!i<Ds0uQl%uF+hH8#v4-$Xo`vkhfiJREWqPLjZK0D
zU@)w}HJ61|A~4BowaH*(2r@($gN~b~#~}89(g0&OZy-XoIwd}O1bp*=6CsKUmcm5`
zjyK09JPy8u;H#94NR%f{Roj@FP8CU2%&CO0KSDd+D!+$987);XR<gsAr834aKdFMH
zlGo1>r^uyhV`;RaN$cJz@|Y~SOd%yk0WoC0ad^sz20oIsWF<sw+#+0_n5-aDwcJ;p
z5}(Rw(oQ@=rB)`!8-0@@Wb(pBM04N<iYhr?7O#YhDE1vqO(jV&OpeABHJIwn5$P2i
zb+q`k3;a$6+YW~yongRG#3bDq4rCzA1*1XVz@GrX73K*)&`oq0-bXI69{VAbj)k@>
z%ueZ`?YP4%#sk|6z!_$tWcVqlv)~_AeJTj4?%X)NW_5zK6Q*;9*$Y>R_!SC#V!AMR
zJBuqyIjn7QMThZlrK^Upa9C$1LkQm1h|;fsqN?1_p?UB*8`d9`u+n1rx%e24OaImS
zCW(PM<2mfFHQ1@>ywR==o$e56H1<U>AKywE3G47LGfloC{{YAW*EMK9&R>W7k|!I+
zZzD*6?5u7510n86{a~xR@q>~Q4-$cr69L+ooVtsJGO7ltj0PEvfN<zsAX5sE8xhzl
zN?JM44^XZ+HOg@1+VrocFL^;faQmnS(fx%Ba;<ZJx-WS`IX$3^*q{C<`_f-|`RU$E
z^Y&A*I55}i#tOVI68-)fp6;d<-kH+rjg`5)6;{mjh~*0-jvI_w68Q0f%M##{CpC8Q
z!NrGG<APro1Gy}K+%Se1()of*1V2}5#1iO7EaY-5^b;HhKgdUQb<jyhB1j4cV&iyM
z+d44d4hUTbcW7HLC@Gd&2<75}Uj+4Vr)0(rO6LkL5%^so7cM+SP;vqM{J<@NP#%>M
zN8QSGaDIQ|2Bkh0WFE)gG;rfLeLisZ!{{mnJbv{jh3Y3Vko!caRU*|7D&OpJBJ>FD
z3?;$wTv`oPyjCfv@<ls|x&@>g@x!3Jx^EY$fW92c6a!`dcXODK8%`3l%<I<dNlwfm
zGlJ@G#+^Lmy6;D;%j$5~Pn8bV51?e*dubCuN<U~Plp9y7rQDz`u+_NGekg4ss-=9P
zRp=fsgizhQi1LPb!Fy@*gj%Dtp#&*EBWoYurTX$dgI8Va5eukP697vl1HN#^Al3ja
z0a`QJ#8$ro#-4`rjBdqPdG7hJ;`|u<DIcS9$JM(vk0E!MrK`VY+XQ&x20xS?SC9-B
zkQ^5%ksY(<G+HexZj`}hbB2YEu22jH2N0hs;6Eu0WZ)mki)V?!vZJT{=I4Cl^NYyt
zelE5-3MSe^z}5hOy3DX3MvNh_3(sQVEw(KQY+}HQ5DCj~vWX$9UwjhZy=bi7=_05%
zPVaPgO#`O^D@ZEaw2=*oA&L9ic6yh`I&fLAf`sCz5I?^Fu_P)&5*ii|671gt?tij+
zrznTX6V&`uLN@fzpfEqUkEarwgGU!6Q*+m`Ndp#WAGGqJ?wZ3UCQxRr0esg^k}6e<
z0F}Y&A{+EFoi0*x0o)nJR0Q31z@{TGGrjhr9(I~dO!eU^TA@&7z@8<H0SrbsFvF3_
zs->vdFmZ*d8$Ikmz)bY%9GIYXXxWs=HH0w+-?cOZ$_(m#3OH(I7$Y}o7}V~s0pU3?
znOP<zxrvd#0hz!gF>E^)Fs&t_m?%>l_JOSf;=^oW#BAcdmT6j#sbDlQHnK2bT4;2m
zSp#OEX;-GHC36XK+6P$O4a(F6HofRMi5iSuNF;+ab{ObCn&%743xPz!=SpDJ;K$|j
z_(Cqzld!owfjbYD5w5;Gk;oP1UV#&@9j_fM90WWkwIUkkGyRRsCTb2-$|0>eA<+!R
zPEN1*=oD#6?@`XMWjBP+jOn2s&0`Vnc!LH^mKpDUdOIFd&`#5wFj`CFc;o<SyjsIx
z$Y7D+#rO0RieYsilDKnuZm=xiirifUTv!kI3Iu*G5?5oMpU_a|3^zYXipn`wu82=#
zI#23{-{X_UPe@`kkSP<L5+@}SClqgIUnxs1HEIefX{=n60-vprtDG}_PIi)~#Vnal
zI%&uaLQkMXKZ7zl7Q%nx6nzt1m>^Y5@3uQ7n3aGl=H%&|LSvIc;xN$Hz+}9sfo}dR
zX8Y)*ub3UeBC$TyLPG9K%zQv72JU8q&MENq^YrDp`iQx1B0u5ybP<Ou@|Cz1#tMbK
zc|2FwLZ)DE&%_2QWv}#ND-Pe?$%%I)UDHfM%$Zvm#HR6XhURf|k!v_iCHn5cNmBP9
zR)r?v#2%2ET;IaZGQu38S*g<<9juSl7hI~}vJhVCt@al&_`CNwlS{2dObNr#ad+FO
z`ZgltPKF`|Tcn%0D)+k@r>sv%a)7V5&1hG#yQi10JC7@L^Yq|~U0p?7p)Uv$UnFr6
ziabSP7e9}58#7b7e|lHW)wzQ|PjAdjVK)N4BBGafNZ~J6Bvap8OjBb{JU~V0zD6Qe
zCMHYO@zDyo3w+|k#mhw?fUkyN1aVLgZyP_JpFrZtlSsss0n5-^1fd>&ZW2G9(2vh|
z_w(X==m0`{h#^qoCziPLT_i%juOE*O@%R#+9|W42M*1sNYK|lgzW*2_PvHb4#VQAx
znZB<8-+Q!+r;EVX-Id1``+4!We7+byks@(*;qrJwp4f}e=keTx>0Kg3k}mI4@hHk5
zvI#2KR*?h2%IxuW;W=^;_&hH!M~=IzizCPE!+r<@)@itoP1b7{pJ=LTgDhaq#A$*y
z)kdm<><#|Eqw`lG_r>{FP5*cObluVZyR^P0{ol!-0dFx3Kpc=p)pxfXC=5MHt2sC(
ya=bja&`VsnzRCpL=TlSr4nbiU2Az|7sfTVSx~DpMlILC<hks42>eBotIPhPmLCzQe

literal 0
HcmV?d00001

diff --git a/test.py b/tests/test.py
similarity index 93%
rename from test.py
rename to tests/test.py
index 8321ac79..39318fb6 100755
--- a/test.py
+++ b/tests/test.py
@@ -51,7 +51,8 @@
 from peekaboo.ruleset.rules import FileTypeOnWhitelistRule, \
         FileTypeOnGreylistRule, CuckooAnalysisFailedRule, \
         KnownRule, FileLargerThanRule, CuckooEvilSigRule, \
-        CuckooScoreRule, RequestsEvilDomainRule, FinalRule
+        CuckooScoreRule, RequestsEvilDomainRule, FinalRule, \
+        OfficeMacroRule, OfficeMacroWithSuspiciousKeyword
 from peekaboo.toolbox.cuckoo import CuckooReport
 from peekaboo.db import PeekabooDatabase, PeekabooDatabaseError
 # pylint: enable=wrong-import-position
@@ -537,7 +538,6 @@ def test_3_sample_attributes(self):
         self.assertEqual(self.sample.cuckoo_report, None)
         self.assertEqual(self.sample.done, False)
         self.assertEqual(self.sample.submit_path, None)
-        self.assertFalse(self.sample.office_macros)
         self.assertEqual(self.sample.file_size, 4)
 
     def test_4_initialised_sample_attributes(self):
@@ -565,7 +565,6 @@ def test_4_initialised_sample_attributes(self):
         self.assertEqual(self.sample.done, False)
         self.assertRegexpMatches(
             self.sample.submit_path, '/%s.py$' % self.sample.sha256sum)
-        self.assertFalse(self.sample.office_macros)
         self.assertEqual(self.sample.file_size, 4)
 
     def test_5_mark_done(self):
@@ -730,6 +729,57 @@ def test_rule_file_type_on_whitelist(self):
             result = rule.evaluate(MimetypeSample(types))
             self.assertEqual(result.further_analysis, expected)
 
+    def test_rule_office_ole(self):
+        """ Test rule office_ole. """
+        config = '''[office_macro_with_suspicious_keyword]
+            keyword.1 : AutoOpen
+            keyword.2 : AutoClose
+            keyword.3 : suSPi.ious'''
+        rule = OfficeMacroWithSuspiciousKeyword(CreatingConfigParser(config))
+        # sample factory to create samples from real files
+        factory1 = SampleFactory(
+            cuckoo=None, base_dir=None, job_hash_regex=None,
+            keep_mail_data=False, processing_info_dir=None)
+        # sampe factory to create samples with defined content
+        factory2 = CreatingSampleFactory(
+            cuckoo=None, base_dir=None, job_hash_regex=None,
+            keep_mail_data=False, processing_info_dir=None)
+        tests_data_dir = os.path.dirname(os.path.abspath(__file__))+"/test-data"
+
+        combinations = [
+            # no office document file extension
+            [Result.unknown, factory2.make_sample('test.nodoc', 'test')],
+            # test with empty file
+            [Result.unknown, factory1.make_sample(tests_data_dir+'/office/empty.doc')],
+            # office document with 'suspicious' in macro code
+            [Result.bad, factory1.make_sample(tests_data_dir+'/office/suspiciousMacro.doc')],
+            # test with blank word doc
+            [Result.unknown, factory1.make_sample(tests_data_dir+'/office/blank.doc')],
+            # test with legitimate macro
+            [Result.unknown, factory1.make_sample(tests_data_dir+'/office/legitmacro.xls')]
+        ]
+        for expected, sample in combinations:
+            result = rule.evaluate(sample)
+            self.assertEqual(result.result, expected)
+
+        # test if macro present
+        rule = OfficeMacroRule(CreatingConfigParser(config))
+        combinations = [
+            # no office document file extension
+            [Result.unknown, factory2.make_sample('test.nodoc', 'test')],
+            # test with empty file
+            [Result.unknown, factory1.make_sample(tests_data_dir+'/office/empty.doc')],
+            # office document with 'suspicious' in macro code
+            [Result.bad, factory1.make_sample(tests_data_dir+'/office/suspiciousMacro.doc')],
+            # test with blank word doc
+            [Result.unknown, factory1.make_sample(tests_data_dir+'/office/blank.doc')],
+            # test with legitimate macro
+            [Result.bad, factory1.make_sample(tests_data_dir+'/office/legitmacro.xls')]
+        ]
+        for expected, sample in combinations:
+            result = rule.evaluate(sample)
+            self.assertEqual(result.result, expected)
+
     def test_config_file_type_on_whitelist(self):
         """ Test whitelist rule configuration. """
         config = '''[file_type_on_whitelist]