Office XML with Macros

rickyboone — Tue, 05 Feb 2019 16:34:03 GMT

This is a custom vulnerability signature I created based on what I was seeing come through to our users. Usually, the malicious Office files with macros were in either the binary Office 2003 format or the newer Office 2007+ format. What I was seeing were Office XML (2003 era) files.

Note, this signature includes a specific string match for Word (since that was the only sample I had at the time), however it should be pretty simple to adjust for other patterns (Excel, etc.). I based the signature on the sample I had, plus a few resources online such as the following YARA rule: https://github.com/Neo23x0/signature-base/blob/master/yara/crime_dridex_xml.yar

set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern "<\?xml version="
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match pattern '<\?mso\-application progid="Word\.Document"\?>'
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match pattern 'w:macrosPresent="yes"'
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match pattern "<w:binData w:name="
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" order-free no
set threats vulnerability 41000 signature standard "Office XML with Macros" scope protocol-data-unit
set threats vulnerability 41000 default-action reset-both
set threats vulnerability 41000 threatname "Office XML with Macros"
set threats vulnerability 41000 severity high
set threats vulnerability 41000 direction both
set threats vulnerability 41000 affected-host client yes
set threats vulnerability 41000 affected-host server yes

topic Office XML with Macros in Custom Signatures

Office XML with Macros