Sneed-Reactivity/yara-mikesxrs/xme/office_macro.yar

rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        author = "Xavier Mertens"
        reference = "https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule office_macro`
			`{`
			`meta:`
			`description = "M$ Office document containing a macro"`
			`author = "Xavier Mertens"`
			`reference = "https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/"`
			`thread_level = 1`
			`in_the_wild = true`
			`strings:`
			`$a = {d0 cf 11 e0}`
			`$b = {00 41 74 74 72 69 62 75 74 00}`
			`condition:`
			`$a at 0 and $b`
			`}`