Some DOCX samples today had the VBA script payload embedded into OLE objects in the DOCX. To a user this looks like document icons in the Word file, and for file analysis they are in the DOCX zip under word/embeddings (Thanks Brian!). After doing a few of these manaully, and then dynamically fighting with the Office debugger to get the indicators out of them individually, I took a moment to try and automate at least part of the process.
Loop through samples in a directory, yank all of the embedded OLE objects, and scan them for likely VBA script with Yara
$ for file in efax/*.docx ; do unzip -qq -o -j $file "word/embeddings*" ; \
for y in `ls oleObject*`; do echo -n "$file "; \
yara -f -w vbaoleobj.yara $y;done; rm -f oleObject* ; done
Gets output like this:
efax/20yr67z6z38s40el71cl15q99kr30.docx VBA_Dim_String oleObject1.bin
efax/20yr67z6z38s40el71cl15q99kr30.docx VBA_Dim_String oleObject2.bin
efax/20yr67z6z38s40el71cl15q99kr30.docx VBA_Dim_String oleObject3.bin
efax/20yr67z6z38s40el71cl15q99kr30.docx VBA_Dim_String oleObject4.bin
efax/20yr67z6z38s40el71cl15q99kr30.docx VBA_Dim_String oleObject5.bin
Yara rule (WIP):
// nulls then 'dDimM ' seen near 0xc8e in ole objects with VBA in them
rule VBA_Dim_String
{
strings:
$vba_dim_str = { 00 00 (44|64) 69 (4D|6D) 20}
condition:
$vba_dim_str in (0xc7e..0xc97)
//at 0xc8e didn't
}
// something specific to the campaign samples...
Samples:
- 22215473c5803a2cdb55d29499dd4187
- c81ef478ccb2ff741220b7ab2067dfae
- ten more like that