rule MACROCHECK { meta: description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)." author = "Fireeye Labs" version = "1.0" strings: $PARAMpword = "pword=" ascii wide $PARAMmsg = "msg=" ascii wide $PARAMuname = "uname=" ascii $userform = "UserForm" ascii wide $userloginform = "UserLoginForm" ascii wide $invalid = "Invalid username or password" ascii wide $up1 = "uploadPOST" ascii wide $up2 = "postUpload" ascii wide condition: all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2)) }