22 lines
No EOL
525 B
Text
22 lines
No EOL
525 B
Text
rule office_document_vba
|
|
{
|
|
meta:
|
|
description = "Office document with embedded VBA"
|
|
author = "Jean-Philippe Teissier / @Jipe_"
|
|
date = "2013-12-17"
|
|
reference = "N/A"
|
|
|
|
strings:
|
|
$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
|
|
$zipmagic = "PK"
|
|
|
|
$97str1 = "_VBA_PROJECT_CUR" wide
|
|
$97str2 = "VBAProject"
|
|
$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
|
|
|
|
$xmlstr1 = "vbaProject.bin"
|
|
$xmlstr2 = "vbaData.xml"
|
|
|
|
condition:
|
|
($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
|
|
} |