// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
/* slowing down scanning
rule Office_DDEAUTO_field {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 60
strings:
$a = /.{1,1000}?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.{1,1000}?/
condition:
$a
}
rule Office_DDE_field {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 40
strings:
$a = /.+?\b[Dd][Dd][Ee]\b.+?/
condition:
$a
}
*/
rule Office_OLE_DDEAUTO {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 30
id = "2ead3cc9-f517-5916-93c9-1393362aa45d"
strings:
$a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
condition:
uint32be(0) == 0xD0CF11E0 and $a
}
rule Office_OLE_DDE {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 50
id = "2ead3cc9-f517-5916-93c9-1393362aa45d"
strings:
$a = /\x13\s*DDE\b[^\x14]+/ nocase
$r1 = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$r2 = "Adobe ARM Installer"
condition:
uint32be(0) == 0xD0CF11E0 and $a and not 1 of ($r*)
}