mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
17 lines
567 B
Plaintext
17 lines
567 B
Plaintext
rule SUSP_Office_Dropper_Strings {
|
|
meta:
|
|
description = "Detects Office droppers that include a notice to enable active content"
|
|
author = "Florian Roth"
|
|
reference = "Internal Research"
|
|
date = "2018-09-13"
|
|
strings:
|
|
$a1 = "_VBA_PROJECT" fullword wide
|
|
|
|
$s1 = "click enable editing" fullword ascii
|
|
$s2 = "click enable content" fullword ascii
|
|
$s3 = "\"Enable Editing\"" fullword ascii
|
|
$s4 = "\"Enable Content\"" fullword ascii
|
|
condition:
|
|
uint16(0) == 0xcfd0 and filesize < 500KB and $a1 and 1 of ($s*)
|
|
}
|