Sandbox: static VBA macro analysis — Office attachments (.doc/.xls/.ppt and .docm/.xlsm/.pptm) are now analysed in depth. The sandbox reads the VBA source code directly from the OLE Compound File, decompresses it (MS-OVBA algorithm) and scans for dangerous API calls (Shell, CreateObject, WScript, PowerShell, URLDownloadToFile, etc.), auto-execution triggers (Workbook_Open, Document_Open, Auto_Open) and obfuscation patterns (Chr()-chains, Base64). Findings are surfaced as concrete indicators in the sandbox report.
Sandbox: PE analysis for executable attachments — EXE/DLL attachments are checked for packers/encryption (Shannon entropy per section > 7.0) and suspicious import names (CreateRemoteThread, VirtualAllocEx, SetWindowsHookEx, URLDownloadToFile, etc.).
Sandbox UI: structured analysis view — The attachments tab in the sandbox report modal now shows dedicated cards for VBA and PE findings: auto-execution triggers and dangerous API calls as colour-coded tags, PE entropy and suspicious imports clearly laid out. New "Obfuscated" and "Packer" flags are visible directly in the table column.