Sneed-Reactivity/yara-mikesxrs/xme/office_macro.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

14 lines
417 B
Text

rule office_macro
{
meta:
description = "M$ Office document containing a macro"
author = "Xavier Mertens"
reference = "https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/"
thread_level = 1
in_the_wild = true
strings:
$a = {d0 cf 11 e0}
$b = {00 41 74 74 72 69 62 75 74 00}
condition:
$a at 0 and $b
}