22 lines
558 B
Text
22 lines
558 B
Text
|
rule Contains_VBA_macro_code
|
||
|
{
|
||
|
meta:
|
||
|
author = "evild3ad"
|
||
|
description = "Detect a MS Office document with embedded VBA macro code"
|
||
|
date = "2016-01-09"
|
||
|
filetype = "Office documents"
|
||
|
|
||
|
strings:
|
||
|
$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
|
||
|
$zipmagic = "PK"
|
||
|
|
||
|
$97str1 = "_VBA_PROJECT_CUR" wide
|
||
|
$97str2 = "VBAProject"
|
||
|
$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_
|
||
|
|
||
|
$xmlstr1 = "vbaProject.bin"
|
||
|
$xmlstr2 = "vbaData.xml"
|
||
|
|
||
|
condition:
|
||
|
($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
|
||
|
}
|