Skip to content

Instantly share code, notes, and snippets.

@michaelweber

michaelweber/msxls_zloader_formula_ptg_ref_num_op_count.yara

Last active August 10, 2020 18:51
Show Gist options
  • Save michaelweber/7d89f01d04dc8174c4cb4bf4db525861 to your computer and use it in GitHub Desktop.
Save michaelweber/7d89f01d04dc8174c4cb4bf4db525861 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
msxls_zloader_formula_ptg_ref_num_op_count.yara
rule msxls_zloader_formula_ptg_ref_num_op_count
{
meta:
description = "Finding XLS2003 documents with a large number of PtgRef->PtgNum->PtgOperator entries"
Author = "Michael Weber (@BouncyHat)"
strings:
$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
$ref_num_op_formula = { 06 00 ?? 00 ?? ?? ?? 00 0F [15] ?? 00 44 ?? ?? ?? ?? 1F ?? ?? ?? ?? ?? ?? ?? ( ?? | ?? 15 ) ( 01 | 02 | 03 | 04 | 05 | 06 | 07 ) }
condition:
$ole_marker at 0 and #ref_num_op_formula > 1000
}
@michaelweber
Copy link
Author

michaelweber commented Aug 10, 2020
edited
Loading

Latest samples updated to handle multiple operators instead of just addition:

Formula[EQ42931]: GU16753-(781.39)
00000000   B2 A7 92 00 0F 00 85 EB  51 B8 1E 0B 86 C0 00 00   ²�?···?ëQ,··?A··
00000010   AF A7 92 FF 10 00 44 70  41 CA 00 1F 85 EB 51 B8   _�?ÿ··DpAE··?ëQ,
00000020   1E 6B 88 40 15 04                                  ·k?@··

Formula[BM42934]: GU16754-(376.32)
00000000   B5 A7 40 00 0F 00 85 EB  51 B8 1E F5 7B C0 00 00   µ�@···?ëQ,·o{A··
00000010   B2 A7 40 FF 10 00 44 71  41 CA 00 1F 85 EB 51 B8   ²�@ÿ··DqAE··?ëQ,
00000020   1E 85 77 40 15 04                                  ·?w@··

Formula[EQ42935]: GU16757-(783.26)
00000000   B6 A7 92 00 0F 00 AE 47  E1 7A 14 22 86 C0 00 00   ��?···rGáz·"?A··
00000010   B2 A7 92 FF 10 00 44 74  41 CA 00 1F AE 47 E1 7A   ²�?ÿ··DtAE··rGáz
00000020   14 7A 88 40 15 04

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment