Skip to content

Instantly share code, notes, and snippets.

@michaelweber

michaelweber/msxls_zloader_formula_ptg_ref_num_op_count.yara

Last active August 10, 2020 18:51
Show Gist options
  • Save michaelweber/7d89f01d04dc8174c4cb4bf4db525861 to your computer and use it in GitHub Desktop.
Save michaelweber/7d89f01d04dc8174c4cb4bf4db525861 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
msxls_zloader_formula_ptg_ref_num_op_count.yara
rule msxls_zloader_formula_ptg_ref_num_op_count
{
meta:
description = "Finding XLS2003 documents with a large number of PtgRef->PtgNum->PtgOperator entries"
Author = "Michael Weber (@BouncyHat)"
strings:
$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
$ref_num_op_formula = { 06 00 ?? 00 ?? ?? ?? 00 0F [15] ?? 00 44 ?? ?? ?? ?? 1F ?? ?? ?? ?? ?? ?? ?? ( ?? | ?? 15 ) ( 01 | 02 | 03 | 04 | 05 | 06 | 07 ) }
condition:
$ole_marker at 0 and #ref_num_op_formula > 1000
}
@michaelweber
Copy link
Author

Based off of formula entries from 6fc69f553c079f20ec20e3e95eb342658dbeef6349acbe50578c550deb3d16b6:

Formula[AO53234]: CG21410+-287.7
00000000   F1 CF 28 00 0F 00 33 33  33 33 33 2B 74 C0 00 00   ñI(···33333+tA··
00000010   ED CF 28 FF 0F 00 44 A1  53 54 00 1F 33 33 33 33   íI(ÿ··D¡ST··3333
00000020   33 FB 71 C0 03                                     3ûqA·

Formula[DU53235]: CG21407+1210.25
00000000   F2 CF 7C 00 0F 00 00 00  00 00 00 B1 91 40 00 00   òI|········±?@··
00000010   EF CF 7C FF 0F 00 44 9E  53 54 00 1F 00 00 00 00   ïI|ÿ··D?ST······
00000020   00 E9 92 40 03                                     ·é?@·

Formula[AO53238]: CG21404+878.79
00000000   F5 CF 28 00 0F 00 B8 1E  85 EB 51 8E 8C 40 00 00   oI(···,·?ëQ??@··
00000010   F1 CF 28 FF 0F 00 44 9B  53 54 00 1F B8 1E 85 EB   ñI(ÿ··D?ST··,·?ë
00000020   51 76 8B 40 03                                     Qv?@·

Formula[DU53239]: CG21403+1387.29
00000000   F6 CF 7C 00 0F 00 5C 8F  C2 F5 28 39 95 40 00 00   öI|···\?Ao(9?@··
00000010   F2 CF 7C FF 0F 00 44 9A  53 54 00 1F 5C 8F C2 F5   òI|ÿ··D?ST··\?Ao
00000020   28 AD 95 40 03                                     (-?@·

Formula[DU53243]: CG21405+1056.73
00000000   FA CF 7C 00 0F 00 52 B8  1E 85 EB AE 90 40 00 00   úI|···R,·?ër?@··
00000010   F6 CF 7C FF 0F 00 44 9C  53 54 00 1F 52 B8 1E 85   öI|ÿ··D?ST··R,·?
00000020   EB 82 90 40 03                                     ë??@·

Formula[DU53245]: CG21407+1293.67
00000000   FC CF 7C 00 0F 00 48 E1  7A 14 AE FE 92 40 00 00   üI|···Ház·r_?@··
00000010   FA CF 7C FF 0F 00 44 9E  53 54 00 1F 48 E1 7A 14   úI|ÿ··D?ST··Ház·
00000020   AE 36 94 40 03                                     r6?@·

@michaelweber
Copy link
Author

michaelweber commented Aug 10, 2020
edited
Loading

Latest samples updated to handle multiple operators instead of just addition:

Formula[EQ42931]: GU16753-(781.39)
00000000   B2 A7 92 00 0F 00 85 EB  51 B8 1E 0B 86 C0 00 00   ²�?···?ëQ,··?A··
00000010   AF A7 92 FF 10 00 44 70  41 CA 00 1F 85 EB 51 B8   _�?ÿ··DpAE··?ëQ,
00000020   1E 6B 88 40 15 04                                  ·k?@··

Formula[BM42934]: GU16754-(376.32)
00000000   B5 A7 40 00 0F 00 85 EB  51 B8 1E F5 7B C0 00 00   µ�@···?ëQ,·o{A··
00000010   B2 A7 40 FF 10 00 44 71  41 CA 00 1F 85 EB 51 B8   ²�@ÿ··DqAE··?ëQ,
00000020   1E 85 77 40 15 04                                  ·?w@··

Formula[EQ42935]: GU16757-(783.26)
00000000   B6 A7 92 00 0F 00 AE 47  E1 7A 14 22 86 C0 00 00   ��?···rGáz·"?A··
00000010   B2 A7 92 FF 10 00 44 74  41 CA 00 1F AE 47 E1 7A   ²�?ÿ··DtAE··rGáz
00000020   14 7A 88 40 15 04

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment