Sneed-Reactivity/yara-mikesxrs/evild3ad/contains_userform_object_1.yara

rule Contains_UserForm_Object_1
{
	meta:
		author = "Martin Willing (https://evild3ad.com)"
		description = "Detect UserForm object in MS Office document. Attackers use UserForm objects to obfuscate their scripts and malicious code."
		alert = "May used to store a URL as a property of a userform"
		reference = "https://isc.sans.edu/forums/diary/Tip+Quick+Analysis+of+Office+Maldoc/20751/"
		reference = "http://blog.didierstevens.com/2016/03/11/update-oledump-py-version-0-0-23/"
		hash = "4e0c55054c4f7c32aece5cfbbea02846"
		date = "2016-03-11"
		filetype = "Office documents"
		
	strings:
		
		$a = "Microsoft Forms 2.0" // Forms
		$b = "http"
	
	condition:
	 	all of them
}