Created
April 15, 2020 19:17
-
-
Save JohnLaTwC/cc526374f83f60a4c32210e33c8dfe37 to your computer and use it in GitHub Desktop.
OOML Excel 4.0 macro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule gen_ModernExcel4Macro | |
| { | |
| meta: | |
| description = "Detects Modern Excel4 macro use" | |
| author = "John Lambert @JohnLaTwC" | |
| date = "2020-04-15" | |
| hash1 = "308c0fee671459705221c5f1a8cee944f5ea803fddd0faa620cc8266d48c662b" | |
| hash2 = "618fee2c2f89a4f15b680e1ca9393d25c857e6d107fa0eb45b1a21c7601f975e" | |
| reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808" | |
| strings: | |
| $header_xml = { 3c 3f 78 6d } | |
| $header_xlmacro = { 3c 78 6d 3a 6d 61 63 72 6f 73 68 65 65 74 } | |
| $s1 = "<f>CHAR(" | |
| $s2 = "<f>RUN(" | |
| $s3 = "<f>CALL(" | |
| $s4 = "<f>GOTO(" | |
| condition: | |
| filesize < 2400KB | |
| and $header_xml at 0 | |
| and $header_xlmacro in (0 .. 0x200) | |
| and any of ($s*) | |
| } | |
| rule gen_ModernExcel4MacroZIP | |
| { | |
| meta: | |
| description = "Detects Modern Excel4 macro use" | |
| author = "John Lambert @JohnLaTwC" | |
| date = "2020-04-15" | |
| hash = "01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606" | |
| reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808" | |
| strings: | |
| $header_zip = { 50 4b 03 04 } | |
| $header_content_xml="[Content_Types].xml" nocase | |
| //00000e30: cc 02 00 00 19 00 00 00 78 6c 2f 6d 61 63 72 6f ........xl/macro | |
| //00000e40: 73 68 65 65 74 73 2f 73 68 65 65 74 34 2e 78 6d sheets/sheet1.xm | |
| $sheets = { 78 6c 2f 6d 61 63 72 6f 73 68 65 65 74 73 2f 73 68 65 65 74 3? [0-1] 2e 78 6d 6c} | |
| condition: | |
| filesize < 2400KB | |
| and $header_zip at 0 | |
| and $header_content_xml in (0 .. 0x200) | |
| and #sheets > 0 | |
| } | |
| rule gen_ModernExcel4MacroZIPManySheets | |
| { | |
| meta: | |
| description = "Detects Modern Excel4 macro use with many sheets" | |
| author = "John Lambert @JohnLaTwC" | |
| date = "2020-04-15" | |
| hash = "dfe1f9afcb096c83169a0708ffdc5ed4efbf51dea909c3e3334aa3d1a2ffec6b" | |
| hash1= "831cdf20a1a9b8ecd332e330922bd011fd0d32e2f27dbbf6d1f3985b9e640581" | |
| reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808" | |
| strings: | |
| $sheets = { 78 6c 2f 6d 61 63 72 6f 73 68 65 65 74 73 2f 73 68 65 65 74 3? [0-1] 2e 78 6d 6c} | |
| condition: | |
| gen_ModernExcel4MacroZIP | |
| and #sheets > 5 | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment