Sneed-Reactivity/yara-mikesxrs/evild3ad/contains_userform_object_2.yara

20 lines
618 B
Text
Raw Normal View History

rule Contains_UserForm_Object_2
{
meta:
author = "Martin Willing (https://evild3ad.com)"
description = "Detect UserForm object in MS Office document. Attackers use UserForm objects to obfuscate their scripts and malicious code."
alert = "May used to store malicious code in a UserForm object embedded in a form object"
reference = "https://msdn.microsoft.com/en-us/library/office/gg264663.aspx"
hash = "3c013125ffe34b81e39f92b59ca26b6c"
date = "2016-03-11"
filetype = "Office documents"
strings:
$a = "Microsoft Forms 2.0" // Forms
$b = "UserForm1" // UserForm
condition:
all of them
}