Office XML with Macros

Reply
L1 Bithead

Office XML with Macros

This is a custom vulnerability signature I created based on what I was seeing come through to our users.  Usually, the malicious Office files with macros were in either the binary Office 2003 format or the newer Office 2007+ format.  What I was seeing were Office XML (2003 era) files.

 

Note, this signature includes a specific string match for Word (since that was the only sample I had at the time), however it should be pretty simple to adjust for other patterns (Excel, etc.).  I based the signature on the sample I had, plus a few resources online such as the following YARA rule:  https://github.com/Neo23x0/signature-base/blob/master/yara/crime_dridex_xml.yar

 

set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern "<\?xml version="
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match pattern '<\?mso\-application progid="Word\.Document"\?>'
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match pattern 'w:macrosPresent="yes"'
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match pattern "<w:binData w:name="
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match context file-html-body
set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match negate no
set threats vulnerability 41000 signature standard "Office XML with Macros" order-free no
set threats vulnerability 41000 signature standard "Office XML with Macros" scope protocol-data-unit
set threats vulnerability 41000 default-action reset-both
set threats vulnerability 41000 threatname "Office XML with Macros"
set threats vulnerability 41000 severity high
set threats vulnerability 41000 direction both
set threats vulnerability 41000 affected-host client yes
set threats vulnerability 41000 affected-host server yes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!