Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Extracted YARA rules from BlackHat USA 2019 talk "Worm Charming - Harvesting Malware Lures for Fun and Profit"
// any Office document with macros.
rule macro_hunter
{
strings:
$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
$macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
$macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
condition:
new_file and (
tags contains "macros" or (
$ole_marker at 0 and 1 of ($macro_sheet_h*)
)
)
}
// any office document with any AV hits or with embedded ActiveX.
rule maldoc_hunter
{
strings:
$docx_magic = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
$activex_1 = "word/activeX/activeX1.bin"
$activex_2 = "word/activeX/activeX1.xml"
condition:
new_file and not (uint16be(0x0) == 0x4d5a)
and
(
file_type contains "office" or
tags contains "office" or
$docx_magic at 0
)
and
(
positives > 0 or
all of ($activex*)
)
}
// any JAR files with any AV hits.
rule maljar_hunter
{
condition:
new_file and positives > 0 and
(
tags contains "jar" or
tags contains "class" or
file_type contains "jar" or
file_type contains "class"
)
}
// any RTF files with any AV hits.
rule rtf_hunter
{
strings:
$magic = "{\\rt"
condition:
new_file and positives > 0 and
(
file_type contains "rtf" or
tags containts "rtf" or
$magic at 0
)
}
// any PDF file with JavaScript.
rule pdfjs_hunter
{
strings:
$pdf_header = "%PDF"
condition:
new_file and
(
file_type contains "pdf" or
$pdf_header in (0..1024)
)
and tags contains "js-embedded"
}
// any office document with an embedded SWF.
// note that we disqualify PE files here,
// due to misclassification.
rule swfdoc_hunter
{
strings:
$a = { 6e db 7c d2 6d ae cf 11 96 b8 44 45 53 54 00 00 }
$b = { 57 53 }
condition:
$a and $b and not (uint16be(0x0) == 0x4d5a )
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.