Script-based keyloggers

Spyshelter fails vs keylogger script

I'm trialing SpyShelter on x64. I've always been curious as to how an anti keylogger would do against a script-based keylogger running in a document viewer (e.g. MS Office, Media player, Picture viewer, PDF reader etc).

From here I found a simple POC of a keylogger macro in MS Excel (screenshot attached, bottom).

SpyShelter was set on 'Ask User', so that nothing is auto-allowed.

Result: Fail. Keys logged from browser including login/password fields, keys logged in MS Word and notepad as well (screenshot attached, top - ignore the poor parsing of text, this is just a POC).

I did not receive a single pop-up in these tests. Oh, except for the three pop-ups I got when I opened MS Word before even opening Excel (i.e. false positives before the test even started :S).

I tried to see if running Excel as Low Integrity would beat this. Excel wouldn't start.

~~~
Details:
I was running Office 2003 (old I know). It is set to disallow unsigned macros by default, I had to change the security level to run this. *However*
a) at work I and many others routinely receive MS Office files with macros enabled that actually do something that is needed
b) this is just meant to act as a representative. Most programs capable of running some scripting language don't have provision for the script to be signed.

~~~
Instructions:
1. Open Excel
2. Press Alt-F11
3. Insert -> Module
4. Copy-paste the code from the link
5. Save
6. Press Alt-F11
7. Press Alt-F8 to run the macro
8. Go type some test text in your browser and put on a sad face

Edit: Changed title to be more sensationalist so I can get some discussion going here