Maldoc Excel Macro

2024-11-07 02:25:19 +00:00 · 2020-11-06 12:44:19 +01:00 · 2020-11-06 12:44:19 +01:00 · 71e6bf7e6c
commit 71e6bf7e6c
parent cc4a6ba2ff
1 changed files with 18 additions and 0 deletions
--- a/yara/gen_macro_builders.yar
+++ b/yara/gen_macro_builders.yar
@ -0,0 +1,18 @@
+
+rule SUSP_MalDoc_ExcelMacro {
+	meta:
+    	description = "Detects malicious Excel macro Artifacts"
+      author = "James Quinn"
+      date = "2020-11-03"
+      reference = "YARA Exchange - Undisclosed Macro Builder"
+    strings:
+    	$artifact1 = {5c 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 2e 00 ?? 00 ?? 00}
+    	$url1 = "http://" wide
+        $url2 = "https://" wide
+        $import1 = "URLDownloadToFileA" wide ascii
+        $macro = "xl/macrosheets/"
+   condition:
+        uint16(0) == 0x4b50 and
+        filesize < 2000KB and
+    	$artifact1 and $macro and $import and 1 of ($url*)
+}