rule Contains_VBA_macro_code { meta: author = "evild3ad" description = "Detect a MS Office document with embedded VBA macro code" date = "2016-01-09" filetype = "Office documents" strings: $officemagic = { D0 CF 11 E0 A1 B1 1A E1 } $zipmagic = "PK" $97str1 = "_VBA_PROJECT_CUR" wide $97str2 = "VBAProject" $97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_ $xmlstr1 = "vbaProject.bin" $xmlstr2 = "vbaData.xml" condition: ($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*)) }