-
Notifications
You must be signed in to change notification settings - Fork 21
/
malicious_office.yar
145 lines (132 loc) · 4.88 KB
/
malicious_office.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
rule maldoc_indirect_function_call_1 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF 75 ?? FF 55 ??}
condition:
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
}
rule maldoc_indirect_function_call_2 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
}
rule maldoc_indirect_function_call_3 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
condition:
$a
}
rule maldoc_find_kernel32_base_method_1 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
$a2 = {64 A1 30 00 00 00}
condition:
any of them
}
rule maldoc_find_kernel32_base_method_2 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {31 ?? ?? 30 64 8B ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
}
rule maldoc_find_kernel32_base_method_3 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
condition:
for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
}
rule mwi_document: exploitdoc maldoc
{
meta:
description = "MWI generated document"
author = "@Ydklijnsma"
source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
strings:
$field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
$mwistat_url = ".php?id="
$field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
condition:
all of them
}
rule macrocheck : maldoc
{
meta:
Author = "Fireeye Labs"
Date = "2014/11/30"
Description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
Reference = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}
rule Office_AutoOpen_Macro : maldoc {
meta:
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
author = "Florian Roth"
date = "2015-05-28"
score = 60
hash1 = "4d00695d5011427efc33c9722c61ced2"
hash2 = "63f6b20cb39630b13c14823874bd3743"
hash3 = "66e67c2d84af85a569a04042141164e6"
hash4 = "a3035716fe9173703941876c2bde9d98"
hash5 = "7c06cab49b9332962625b16f15708345"
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
hash7 = "25285b8fe2c41bd54079c92c1b761381"
strings:
$s1 = "AutoOpen" ascii fullword
$s2 = "Macros" wide fullword
condition:
uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
}
rule Embedded_EXE_Cloaking : maldoc {
meta:
description = "Detects an embedded executable in a non-executable file"
author = "Florian Roth"
date = "2015/02/27"
score = 80
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}