VBA

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

*/


rule Contains_VBA_macro_code
{
    meta:
        author = "evild3ad"
        description = "Detect a MS Office document with embedded VBA macro code"
        date = "2016-01-09"
        filetype = "Office documents"

    strings:
        $officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
        $zipmagic = "PK"

        $97str1 = "_VBA_PROJECT_CUR" wide
        $97str2 = "VBAProject"
        $97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_

        $xmlstr1 = "vbaProject.bin"
        $xmlstr2 = "vbaData.xml"

    condition:
        ($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}