dissectmalware

Yara rule - macro_sheet_zloader

Apr 7th, 2020
694
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule macro_sheet_obfuscated_char
  2. {
  3. meta:
  4. description = "Finding hidden/very-hidden macros with many CHAR functions"
  5. Author = "DissectMalware"
  6. Sample = "0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b (Zloader)"
  7. strings:
  8. $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
  9. $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
  10. $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
  11. $char_func = {06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1E 3D 00 41 6F 00}
  12. condition:
  13. $ole_marker at 0 and 1 of ($macro_sheet_h*) and #char_func > 10
  14.  
  15. }
RAW Paste Data