Suspicious CMD Var expansion in Office Docs

2024-11-06 10:05:18 +00:00 · 2018-09-28 13:29:35 +02:00 · 2018-09-28 13:29:35 +02:00 · 7dd457c5b3
commit 7dd457c5b3
parent a907fd2210
1 changed files with 13 additions and 0 deletions
--- a/yara/gen_susp_cmd_var_expansion.yar
+++ b/yara/gen_susp_cmd_var_expansion.yar
@ -0,0 +1,13 @@
+
+rule SUSP_CMD_Var_Expansion {
+   meta:
+      description = "Detects Office droppers that include a variable expansion string"
+      author = "Florian Roth"
+      reference = "https://twitter.com/asfakian/status/1044859525675843585"
+      date = "2018-09-26"
+      score = 60
+   strings:
+      $a1 = " /V:ON" ascii wide fullword
+   condition:
+      uint16(0) == 0xcfd0 and filesize < 500KB and $a1
+}