/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Contains_VBA_macro_code
{
meta:
author = "evild3ad"
description = "Detect a MS Office document with embedded VBA macro code"
date = "2016-01-09"
filetype = "Office documents"
strings:
$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$zipmagic = "PK"
$97str1 = "_VBA_PROJECT_CUR" wide
$97str2 = "VBAProject"
$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_
$xmlstr1 = "vbaProject.bin"
$xmlstr2 = "vbaData.xml"
condition:
($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}