Sneed-Reactivity/yara-mikesxrs/Fireeye/MACROCHECK.YAR
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

20 lines
No EOL
761 B
Text

rule MACROCHECK
{
meta:
description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
author = "Fireeye Labs"
version = "1.0"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}