diff --git a/malicious_document.yar b/malicious_document.yar
index d61389e..960d5b2 100644
--- a/malicious_document.yar
+++ b/malicious_document.yar
@@ -193,3 +193,27 @@ rule macrocheck
     condition:
         all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
 }
+rule office_document_vba
+{
+	meta:
+		description = "Office document with embedded VBA"
+		author = "Jean-Philippe Teissier / @Jipe_"
+		date = "2013-12-17"
+		reference = "https://github.com/jipegit/"
+
+	strings:
+		$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
+		$zipmagic = "PK"
+
+		$97str1 = "_VBA_PROJECT_CUR" wide
+		$97str2 = "VBAProject"
+		$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
+
+		$xmlstr1 = "vbaProject.bin"
+		$xmlstr2 = "vbaData.xml"
+
+	condition:
+		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
+}
+
+