Excel Macrosheets yara

1. rule susp_Excel_Macrosheets_Bulk {
2. meta:
3. desc = "Detects suspicious excel macrosheets artifacts"
4. author = "James Quinn"
5. strings:
6. $artifact1 = {43 00 3A 00 5C 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 00 00}
7. $artifact2 = {5C 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 2E 00 65 00 78 00 65}
8. $artifact6 = {43 00 3A 00 5C 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 00 00}
9. $artifact3 = {5c 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 2e 00 ?? 00 ?? 00}
10. $artifact4 = {5c 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 2e 00 64 00 6c 00 6c 00 00}
11. $artifact5 = {43 00 3A 00 5C 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 00 00}
12. $artifact7 = {43 3a 5c ?? ?? ?? ?? ??}
13. $import1 = "load" wide nocase
14. $import2 = "load" nocase
15. $openStr = "Docusign" nocase
16. $proto = "http"
17. condition:
18. (uint16(0) == 0x4b50 or uint32be(0) == 0x81010093 or uint32be(0) == 0xD0CF11E0) and
19. filesize < 1000KB and
20. 1 of ($artifact*) and $openStr and 1 of ($import*) and $proto
21. }
22.