rule Dridex_Trojan_XML { meta: description = "Dridex Malware in XML Document" author = "Florian Roth (Nextron Systems) @4nc4p" reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503" date = "2015/03/08" hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082" hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395" hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514" hash4 = "981369cd53c022b434ee6d380aa9884459b63350" hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea" id = "a8f3406c-f8b0-559f-be12-6b2a7d401ac2" strings: // can be ascii or wide formatted - therefore no restriction $c_xml = "" $c_macro = "w:macrosPresent=\"yes\"" $c_binary = "0" $c_1_line = "1" condition: all of ($c*) }