Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches, (Mon, Aug 16th)

Here’s an extra tip to my diary entry “Simple Tips For Triage Of MALWARE Bazaar’s Daily Malware Batches“.

You can also use YARA rules together with my zipdump tool:

I’m using 2 simples rules to detect Office documents with VBA macros:

rule olevba {
        $attribut_e = {00 41 74 74 72 69 62 75 74 00 65}
        uint32be(0) == 0xD0CF11E0 and $attribut_e

rule pkvba {
        $vbaprojectbin = “vbaProject.bin”
        uint32be(0) == 0x504B0304 and $vbaprojectbin

Rule olevba is for binary (ole) office documents, and rule pkvba is for OOXML documents.

Remark: these rules are designed for triage: they might generate false positives or negatives.

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.