Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule macro_sheet_obfuscated_char
- {
- meta:
- description = "Finding hidden/very-hidden macros with many CHAR functions"
- Author = "DissectMalware"
- Sample = "0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b (Zloader)"
- strings:
- $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
- $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
- $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
- $char_func = {06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1E 3D 00 41 6F 00}
- condition:
- $ole_marker at 0 and 1 of ($macro_sheet_h*) and #char_func > 10
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
