JohnLaTwC/OOMLExcel4.0Macro.yara

## OOMLExcel4.0Macro.yara
rule gen_ModernExcel4Macro
{
    meta:
        description = "Detects Modern Excel4 macro use"
        author = "John Lambert @JohnLaTwC"
        date = "2020-04-15"
        hash1 = "308c0fee671459705221c5f1a8cee944f5ea803fddd0faa620cc8266d48c662b"
        hash2 = "618fee2c2f89a4f15b680e1ca9393d25c857e6d107fa0eb45b1a21c7601f975e"
        reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
    strings:
        $header_xml = { 3c 3f 78 6d }
        $header_xlmacro = { 3c 78 6d 3a 6d 61 63  72 6f 73 68 65 65 74 }
        $s1 = "<f>CHAR("
        $s2 = "<f>RUN("
        $s3 = "<f>CALL("
        $s4 = "<f>GOTO("

    condition:
        filesize < 2400KB
        and $header_xml at 0
        and $header_xlmacro in (0 .. 0x200)
        and any of ($s*)
}

rule gen_ModernExcel4MacroZIP
{
    meta:
        description = "Detects Modern Excel4 macro use"
        author = "John Lambert @JohnLaTwC"
        date = "2020-04-15"
        hash = "01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606"
        reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
    strings:
        $header_zip = { 50 4b 03 04 }

        $header_content_xml="[Content_Types].xml" nocase

        //00000e30: cc 02 00 00 19 00 00 00 78 6c 2f 6d 61 63 72 6f  ........xl/macro
        //00000e40: 73 68 65 65 74 73 2f 73 68 65 65 74 34 2e 78 6d  sheets/sheet1.xm
        $sheets = { 78 6c 2f 6d 61 63 72 6f 73 68 65 65 74 73 2f 73 68 65 65 74 3? [0-1] 2e 78 6d 6c}
    condition:
        filesize < 2400KB
        and $header_zip at 0
        and $header_content_xml in (0 .. 0x200)
        and #sheets > 0
}
rule gen_ModernExcel4MacroZIPManySheets
{
    meta:
        description = "Detects Modern Excel4 macro use with many sheets"
        author = "John Lambert @JohnLaTwC"
        date = "2020-04-15"
        hash = "dfe1f9afcb096c83169a0708ffdc5ed4efbf51dea909c3e3334aa3d1a2ffec6b"
        hash1= "831cdf20a1a9b8ecd332e330922bd011fd0d32e2f27dbbf6d1f3985b9e640581"
        reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
    strings:
        $sheets = { 78 6c 2f 6d 61 63 72 6f 73 68 65 65 74 73 2f 73 68 65 65 74 3? [0-1] 2e 78 6d 6c}
    condition:
        gen_ModernExcel4MacroZIP
        and #sheets > 5
}
	rule gen_ModernExcel4Macro
	{
	meta:
	description = "Detects Modern Excel4 macro use"
	author = "John Lambert @JohnLaTwC"
	date = "2020-04-15"
	hash1 = "308c0fee671459705221c5f1a8cee944f5ea803fddd0faa620cc8266d48c662b"
	hash2 = "618fee2c2f89a4f15b680e1ca9393d25c857e6d107fa0eb45b1a21c7601f975e"
	reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
	strings:
	$header_xml = { 3c 3f 78 6d }
	$header_xlmacro = { 3c 78 6d 3a 6d 61 63 72 6f 73 68 65 65 74 }
	$s1 = "<f>CHAR("
	$s2 = "<f>RUN("
	$s3 = "<f>CALL("
	$s4 = "<f>GOTO("

	condition:
	filesize < 2400KB
	and $header_xml at 0
	and $header_xlmacro in (0 .. 0x200)
	and any of ($s*)
	}

	rule gen_ModernExcel4MacroZIP
	{
	meta:
	description = "Detects Modern Excel4 macro use"
	author = "John Lambert @JohnLaTwC"
	date = "2020-04-15"
	hash = "01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606"
	reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
	strings:
	$header_zip = { 50 4b 03 04 }

	$header_content_xml="[Content_Types].xml" nocase

	//00000e30: cc 02 00 00 19 00 00 00 78 6c 2f 6d 61 63 72 6f ........xl/macro
	//00000e40: 73 68 65 65 74 73 2f 73 68 65 65 74 34 2e 78 6d sheets/sheet1.xm
	$sheets = { 78 6c 2f 6d 61 63 72 6f 73 68 65 65 74 73 2f 73 68 65 65 74 3? [0-1] 2e 78 6d 6c}
	condition:
	filesize < 2400KB
	and $header_zip at 0
	and $header_content_xml in (0 .. 0x200)
	and #sheets > 0
	}
	rule gen_ModernExcel4MacroZIPManySheets
	{
	meta:
	description = "Detects Modern Excel4 macro use with many sheets"
	author = "John Lambert @JohnLaTwC"
	date = "2020-04-15"
	hash = "dfe1f9afcb096c83169a0708ffdc5ed4efbf51dea909c3e3334aa3d1a2ffec6b"
	hash1= "831cdf20a1a9b8ecd332e330922bd011fd0d32e2f27dbbf6d1f3985b9e640581"
	reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
	strings:
	$sheets = { 78 6c 2f 6d 61 63 72 6f 73 68 65 65 74 73 2f 73 68 65 65 74 3? [0-1] 2e 78 6d 6c}
	condition:
	gen_ModernExcel4MacroZIP
	and #sheets > 5
	}