02-05-2019 08:34 AM
This is a custom vulnerability signature I created based on what I was seeing come through to our users. Usually, the malicious Office files with macros were in either the binary Office 2003 format or the newer Office 2007+ format. What I was seeing were Office XML (2003 era) files.
Note, this signature includes a specific string match for Word (since that was the only sample I had at the time), however it should be pretty simple to adjust for other patterns (Excel, etc.). I based the signature on the sample I had, plus a few resources online such as the following YARA rule: https://github.com/Neo23x0/signature-base/blob/master/yara/crime_dridex_xml.yar
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern "<\?xml version=" set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match pattern '<\?mso\-application progid="Word\.Document"\?>' set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match pattern 'w:macrosPresent="yes"' set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match pattern "<w:binData w:name=" set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" order-free no set threats vulnerability 41000 signature standard "Office XML with Macros" scope protocol-data-unit set threats vulnerability 41000 default-action reset-both set threats vulnerability 41000 threatname "Office XML with Macros" set threats vulnerability 41000 severity high set threats vulnerability 41000 direction both set threats vulnerability 41000 affected-host client yes set threats vulnerability 41000 affected-host server yes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
