In diary entry "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" I shared 2 simple YARA rules to triage Office documents with VBA code.
This is rule olevba, for Office documents that use the binary CFBF aka ole file format:
"uint32be(0) == 0xD0CF11E0" is a test to check if the file starts with D0CF11E0: that is the magic header of ole files.
The ASCII representation of 00 41 74 74 72 69 62 75 74 00 65 is ".Attribut.e", where the dot (.) represents a NULL byte. This sequence, is the start sequence of compressed VBA code generated by the VBA IDE (e.g., not been tampered with like VBA stomping).
If these 2 conditions are met, the YARA rule will trigger. False positives can occur, especially when string $attribut_e is found inside binary data that is not compressed VBA data.
This is rule pkvba, for Office documents that use the OOXML file format:
OOXML is essentially: a ZIP container, containing XML files.
"uint32be(0) == 0x504B0304" is a test to check if the file starts with 504B0304: that is the magic header of ZIP records typically found first inside a ZIP file.
vbaProject.bin is the filename of the ole file that contains the VBA project.
If these 2 conditions are met, the YARA rule will trigger. False positives can occur, especially when string vbaProject.bin is found somewhere else than inside a ZIP record.
Nov 22nd 2021
|Thread locked Subscribe||
Nov 22nd 2021
5 months ago