Last active
May 31, 2019 17:00
-
-
Save clr2of8/f65579f6106905f5e7db98424b3959df to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule rtf_with_embedded_macro_enabled_office_document | |
| { | |
| meta: | |
| description = "RTF file with multiple embedded macro-enabled documents" | |
| weight = 90 | |
| author = "Walmart Information Security" | |
| date = "2019-03-14" | |
| strings: | |
| // Headers of files to look for | |
| $header_rtf = "{\\rt" nocase | |
| $oleheader = "d0cf11e" nocase | |
| $hex_encoded_macro_string = "56424150726f6a656374" nocase | |
| $excel_macro_enabled_obj = "objclass Excel.SheetMacroEnabled" nocase | |
| condition: | |
| ($header_rtf at 0) and $oleheader and ($hex_encoded_macro_string or $excel_macro_enabled_obj) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment