Last week I researched how to detect signed VBA code in Word .doc files.
For .docm files, it’s easier. .docx and .docm files are actually ZIP files, and a .docm file (Word document with VBA macros) contains file vbaProjectSignature.bin when the VBA code is signed.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.