We received the attached Excel file (password 123), which contains a malicios macro that triggers on "Private Sub Workbook_BeforeClose". Unfortunately mraptor does not detect this file as suspicious, because it only looks for "Document_BeforeClose" or "Workbook_Close", but not "Workbook_BeforeClose" (https://docs.microsoft.com/en-us/office/vba/api/excel.workbook.beforeclose)

The same is true for olevba, which does not recognize an autoexec function via its AUTOEXEC_KEYWORDS.

The fix is trivial, probably not worth a PR

Balance payment.zip