Sneed-Reactivity/yara-mikesxrs/evild3ad/contains_userform_object_3.yara

20 lines
674 B
Text
Raw Normal View History

rule Contains_UserForm_Object_3
{
meta:
author = "Martin Willing (https://evild3ad.com)"
description = "Detect UserForm object in MS Office document. Attackers use UserForm objects to obfuscate their scripts and malicious code."
alert = "May used to store malicious code in a TextBox1 object embedded in a form object"
reference = "https://blogs.mcafee.com/mcafee-labs/macro-malware-associated-dridex-finds-new-ways-hide/"
hash = "13d4e6f0f7dc15ba17df91954de0b01d"
date = "2016-03-11"
filetype = "Office documents"
strings:
$a = "Microsoft Forms 2.0" // Forms
$b = "UserForm1" // UserForm
$c = "TextBox1" // Control
condition:
all of them
}