Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches, (Mon, Aug 16th)

This post was originally published on this site

Here's an extra tip to my diary entry "Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches".

You can also use YARA rules together with my zipdump tool:

I'm using 2 simples rules to detect Office documents with VBA macros:

rule olevba {
    strings:
        $attribut_e = {00 41 74 74 72 69 62 75 74 00 65}
    condition:
        uint32be(0) == 0xD0CF11E0 and $attribut_e
}

rule pkvba {
    strings:
        $vbaprojectbin = "vbaProject.bin"
    condition:
        uint32be(0) == 0x504B0304 and $vbaprojectbin
}

Rule olevba is for binary (ole) office documents, and rule pkvba is for OOXML documents.

Remark: these rules are designed for triage: they might generate false positives or negatives.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.