SHARE
TWEET

Yara rule - macro_sheet_zloader

dissectmalware Apr 7th, 2020 (edited) 455 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule macro_sheet_obfuscated_char
  2. {
  3.         meta:
  4.                 description = "Finding hidden/very-hidden macros with many CHAR functions"
  5.                 Author = "DissectMalware"
  6.                 Sample = "0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b (Zloader)"
  7.         strings:
  8.                 $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}              
  9.                 $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
  10.                 $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}    
  11.                 $char_func = {06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1E 3D  00 41 6F 00}
  12.         condition:
  13.                 $ole_marker at 0 and 1 of ($macro_sheet_h*) and #char_func > 10
  14.  
  15. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top