signature-base/yara/gen_macro_builders.yar


rule SUSP_MalDoc_ExcelMacro {
  meta:
    description = "Detects malicious Excel macro Artifacts"
    author = "James Quinn"
    date = "2020-11-03"
    reference = "YARA Exchange - Undisclosed Macro Builder"
  strings:
    $artifact1 = {5c 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 2e 00 ?? 00 ?? 00}
    $url1 = "http://" wide
    $url2 = "https://" wide
    $import1 = "URLDownloadToFileA" wide ascii
    $macro = "xl/macrosheets/"
  condition:
    uint16(0) == 0x4b50 and
    filesize < 2000KB and
    $artifact1 and $macro and $import1 and 1 of ($url*)
}
Maldoc Excel Macro 2020-11-06 11:44:19 +00:00
			`rule SUSP_MalDoc_ExcelMacro {`
fix: wrong condition in macro builder rule 2020-11-06 11:49:26 +00:00			`meta:`
			`description = "Detects malicious Excel macro Artifacts"`
			`author = "James Quinn"`
			`date = "2020-11-03"`
			`reference = "YARA Exchange - Undisclosed Macro Builder"`
			`strings:`
			`$artifact1 = {5c 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 2e 00 ?? 00 ?? 00}`
			`$url1 = "http://" wide`
			`$url2 = "https://" wide`
			`$import1 = "URLDownloadToFileA" wide ascii`
			`$macro = "xl/macrosheets/"`
			`condition:`
			`uint16(0) == 0x4b50 and`
			`filesize < 2000KB and`
			`$artifact1 and $macro and $import1 and 1 of ($url*)`
Maldoc Excel Macro 2020-11-06 11:44:19 +00:00			`}`