michaelweber

## msxls_zloader_anti_sandbox_biff_formula.yara
rule msxls_zloader_anti_sandbox_biff_formula
{
 meta:
  description = "Finding XLS2003 documents with a specific anti-sandbox expression"
  Author = "Michael Weber (@BouncyHat)"
 strings:
  $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
  $anti_sandbox_formula = { 06 00 [20-30] 42 00 AD 80 1E 13 00 41 BA 00 1E 0D 00 41 BA 00 1E 02 03 0D 1E 0E 00 41 BA 00 1E 86 01 0D 1E 1F 00 41 BA 00 1D 00 0B 1E 2A 00 41 BA 00 42 06 24 00 }
 condition:
  $ole_marker at 0 and $anti_sandbox_formula

## msxls_zloader_formula_ptg_ref_num_op_count.yara
rule msxls_zloader_formula_ptg_ref_num_op_count
{
 meta:
  description = "Finding XLS2003 documents with a large number of PtgRef->PtgNum->PtgOperator entries"
  Author = "Michael Weber (@BouncyHat)"
 strings:
  $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
  $ref_num_op_formula = { 06 00 ?? 00 ?? ?? ?? 00 0F [15] ?? 00 44 ?? ?? ?? ?? 1F ?? ?? ?? ?? ?? ?? ?? ( ?? | ?? 15 ) ( 01 | 02 | 03 | 04 | 05 | 06 | 07 ) }
 condition:
  $ole_marker at 0 and #ref_num_op_formula > 1000

## Aug 10 ZLoader vs Aug 8 Zloader.md

      
        
          
            
              
              1 file
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              1 star
            
          
        
        
          
              
          
          
            
                michaelweber
                / Aug 10 ZLoader vs Aug 8 Zloader.md
            
            
              Last active
              August 12, 2020 15:23
            
              
                Comparing ZLoader XLM Content
              
          
        
      
        
  
      
    Here's a rough dump of the macros for these two ZLoader payloads using my tool Macrome. One was first seen on August 8th by Abuse.ch, the other was identified by @jcarndt on August 10th. The files are functionally identical, but there are some minor differences that have probably contributed to signature evasion:

User defined functions are being passed random arguments - this changes the BIFF record signature entirely. Note that the arguments aren't actually used. In the Aug 8 sample you'd see something like Formula[GK11912]: EokdmdoLRXOG(), in the Aug 10 sample we see Formula[DK4376]: SnJUk(81003). That value 81003 is used purely to change the look of the invocation on disk - if you were trying to count a bunch of user defined f
	rule msxls_zloader_anti_sandbox_biff_formula
	{
	meta:
	description = "Finding XLS2003 documents with a specific anti-sandbox expression"
	Author = "Michael Weber (@BouncyHat)"
	strings:
	$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
	$anti_sandbox_formula = { 06 00 [20-30] 42 00 AD 80 1E 13 00 41 BA 00 1E 0D 00 41 BA 00 1E 02 03 0D 1E 0E 00 41 BA 00 1E 86 01 0D 1E 1F 00 41 BA 00 1D 00 0B 1E 2A 00 41 BA 00 42 06 24 00 }
	condition:
	$ole_marker at 0 and $anti_sandbox_formula
	rule msxls_zloader_formula_ptg_ref_num_op_count
	{
	meta:
	description = "Finding XLS2003 documents with a large number of PtgRef->PtgNum->PtgOperator entries"
	Author = "Michael Weber (@BouncyHat)"
	strings:
	$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
	$ref_num_op_formula = { 06 00 ?? 00 ?? ?? ?? 00 0F [15] ?? 00 44 ?? ?? ?? ?? 1F ?? ?? ?? ?? ?? ?? ?? ( ?? \| ?? 15 ) ( 01 \| 02 \| 03 \| 04 \| 05 \| 06 \| 07 ) }
	condition:
	$ole_marker at 0 and #ref_num_op_formula > 1000