08e8d462fe
RED PILL 🔴 💊
14 lines
417 B
Text
14 lines
417 B
Text
rule office_macro
|
|
{
|
|
meta:
|
|
description = "M$ Office document containing a macro"
|
|
author = "Xavier Mertens"
|
|
reference = "https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/"
|
|
thread_level = 1
|
|
in_the_wild = true
|
|
strings:
|
|
$a = {d0 cf 11 e0}
|
|
$b = {00 41 74 74 72 69 62 75 74 00}
|
|
condition:
|
|
$a at 0 and $b
|
|
}
|