-
Notifications
You must be signed in to change notification settings - Fork 605
/
general_officemacros.yar
66 lines (62 loc) · 2.64 KB
/
general_officemacros.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
rule Office_AutoOpen_Macro {
meta:
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-05-28"
score = 40
hash1 = "4d00695d5011427efc33c9722c61ced2"
hash2 = "63f6b20cb39630b13c14823874bd3743"
hash3 = "66e67c2d84af85a569a04042141164e6"
hash4 = "a3035716fe9173703941876c2bde9d98"
hash5 = "7c06cab49b9332962625b16f15708345"
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
hash7 = "25285b8fe2c41bd54079c92c1b761381"
id = "9774d96c-4d15-5a54-8fe2-e06372d9c4ec"
strings:
$s1 = "AutoOpen" ascii fullword
$s2 = "Macros" wide fullword
condition:
(
uint32be(0) == 0xd0cf11e0 or // DOC, PPT, XLS
uint32be(0) == 0x504b0304 // DOCX, PPTX, XLSX (PKZIP)
)
and all of ($s*) and filesize < 300000
}
rule Office_as_MHTML {
meta:
description = "Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-05-28"
score = 40
reference = "https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/"
hash1 = "8391d6992bc037a891d2e91fd474b91bd821fe6cb9cfc62d1ee9a013b18eca80"
hash2 = "1ff3573fe995f35e70597c75d163bdd9bed86e2238867b328ccca2a5906c4eef"
hash3 = "d44a76120a505a9655f0224c6660932120ef2b72fee4642bab62ede136499590"
hash4 = "5b8019d339907ab948a413d2be4bdb3e5fdabb320f5edc726dc60b4c70e74c84"
id = "21c0c3da-7295-54ad-9947-557a3180af3a"
strings:
$s1 = "Content-Transfer-Encoding: base64" ascii fullword
$s2 = "Content-Type: application/x-mso" ascii fullword
$x1 = "QWN0aXZlTWltZQA" ascii // Base64 encoded 'ActiveMime'
$x2 = "0M8R4KGxGuE" ascii // Base64 encoded office header D0CF11E0A1B11AE1..
condition:
uint32be(0) == 0x4d494d45 // "MIME" header
and all of ($s*) and 1 of ($x*)
}
rule Docm_in_PDF {
meta:
description = "Detects an embedded DOCM in PDF combined with OpenAction"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2017-05-15"
id = "08dfdfda-8ea5-530d-b89b-560415855080"
strings:
$a1 = /<<\/Names\[\([\w]{1,12}.docm\)/ ascii
$a2 = "OpenAction" ascii fullword
$a3 = "JavaScript" ascii fullword
condition:
uint32(0) == 0x46445025 and all of them
}