Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches

Here's an extra tip to my diary entry "Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches".

You can also use YARA rules together with my zipdump tool:

I'm using 2 simples rules to detect Office documents with VBA macros:

rule olevba {
    strings:
        $attribut_e = {00 41 74 74 72 69 62 75 74 00 65}
    condition:
        uint32be(0) == 0xD0CF11E0 and $attribut_e
}

rule pkvba {
    strings:
        $vbaprojectbin = "vbaProject.bin"
    condition:
        uint32be(0) == 0x504B0304 and $vbaprojectbin
}

Rule olevba is for binary (ole) office documents, and rule pkvba is for OOXML documents.

Remark: these rules are designed for triage: they might generate false positives or negatives.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

 DidierStevens

638 Posts
ISC Handler
Aug 16th 2021
Thread locked Subscribe Aug 16th 2021
9 months ago

Sign Up for Free or Log In to start participating in the conversation!