Hey Graeme,
Doc.Trojan.Agent-6923110-0 has been dropped as of this morning's daily.cvd build. Thanks for bringing this FP to our attention.
For reference, the signature was generated from a cluster of documents similar to and including the one below:
From doing some quick research on the underlying VB script contained within, there is some code that looks a little suspicious, but the vast majority appears to be code associated with documents produced by Oracle Web Applications Desktop Integrator (ADI). This signature mistakenly matches on the latter.
From searching online, I was able to find some clean spreadsheets created via Oracle Web ADI and have added those to our clean sample database, so that future signatures which might mistakenly match on these documents and spreadsheets won't pass our False Positive testing.
Thanks again, and let me know if you have any questions
-Andrew
Andrew Williams
Malware Research Engineer
Cisco Talos