JohnLaTwC/auto_open_evasion

## auto_open_evasion
rule auto_open_evasion
{
    meta:
        reference="https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/"
        hash="e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5"
        hash1="bb3c9739de8ffe2e0f375847d41a010463ec19f1d3f578ac053651a51ed69bbc"
        hash2="56ff65b7f6bf5936883f52b50ca66e768b2088158cc77af681ffab7122be7753"
        hash3="97243214ac3cad74d60b0648e39d6a9600860edba51c670b5226e058ba658957"
        hash4 = "9ebf085c05ae94c1b6c4e011001a6c11de3ca754a56ed380314ef501b777e593"

    strings:
        $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
        $auto_open = { 00 00 00 00 01 [0-2] (61 | 41) [0-5](75 | 55) [0-5](74 | 54) [0-5](6f | 4f) [0-5](5f | 5f) [0-5](6f | 4f) [0-5](70 | 50) [0-5](65 | 45) [0-5](6e | 4e)}

        $plain_auto_open = "auto_open" nocase

    condition:
        filesize < 1MB
        and $ole_marker at 0
        and $auto_open and #plain_auto_open == 0
}
	rule auto_open_evasion
	{
	meta:
	reference="https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/"
	hash="e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5"
	hash1="bb3c9739de8ffe2e0f375847d41a010463ec19f1d3f578ac053651a51ed69bbc"
	hash2="56ff65b7f6bf5936883f52b50ca66e768b2088158cc77af681ffab7122be7753"
	hash3="97243214ac3cad74d60b0648e39d6a9600860edba51c670b5226e058ba658957"
	hash4 = "9ebf085c05ae94c1b6c4e011001a6c11de3ca754a56ed380314ef501b777e593"

	strings:
	$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
	$auto_open = { 00 00 00 00 01 [0-2] (61 \| 41) [0-5](75 \| 55) [0-5](74 \| 54) [0-5](6f \| 4f) [0-5](5f \| 5f) [0-5](6f \| 4f) [0-5](70 \| 50) [0-5](65 \| 45) [0-5](6e \| 4e)}

	$plain_auto_open = "auto_open" nocase

	condition:
	filesize < 1MB
	and $ole_marker at 0
	and $auto_open and #plain_auto_open == 0
	}