In diary entry "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" I shared 2 simple YARA rules to triage Office documents with VBA code. This is rule olevba, for Office documents that use the binary CFBF aka ole file format:
"uint32be(0) == 0xD0CF11E0" is a test to check if the file starts with D0CF11E0: that is the magic header of ole files. The ASCII representation of 00 41 74 74 72 69 62 75 74 00 65 is ".Attribut.e", where the dot (.) represents a NULL byte. This sequence, is the start sequence of compressed VBA code generated by the VBA IDE (e.g., not been tampered with like VBA stomping). If these 2 conditions are met, the YARA rule will trigger. False positives can occur, especially when string $attribut_e is found inside binary data that is not compressed VBA data. This is rule pkvba, for Office documents that use the OOXML file format:
OOXML is essentially: a ZIP container, containing XML files. "uint32be(0) == 0x504B0304" is a test to check if the file starts with 504B0304: that is the magic header of ZIP records typically found first inside a ZIP file. vbaProject.bin is the filename of the ole file that contains the VBA project. If these 2 conditions are met, the YARA rule will trigger. False positives can occur, especially when string vbaProject.bin is found somewhere else than inside a ZIP record.
Didier Stevens |
DidierStevens 638 Posts ISC Handler Nov 22nd 2021 |
Thread locked Subscribe |
Nov 22nd 2021 5 months ago |
Sign Up for Free or Log In to start participating in the conversation!